[mcs]

Please correct me if I am mistaken, but couldn't this have been implemented into an iframe that when ran could send the passwords to another remote server?

If so, I am a little taken back by LastPass only offering $1,000 to the researcher that found and reported it for fixing. He or she could have taken a different path and resulted in this being used in some complex targeted attack against tech corporations via short-url redirect interstitial pages, or an ad network's javascript, etc. Given the potential damage, I'd say there is a missing zero or two on that reward amount, in my opinion.

[zaroth]

Normally I like bike shedding about bug bounty payouts just about as much as complaints about paywalls. If you are going to go poking around someone's code for fun or profit, the terms of the bounty program are readily available [1] so you can't complain after the fact for earning the maximum payout. LastPass isn't Facebook, and they never claimed they would pay more than $1,000 even for a full compromise or RCE.

On the other hand, using regexp to parse the URL when it's such an obviously security critical code path... just, why?!

[1] - https://bugcrowd.com/lastpass

[K0nserv]

The concern with the low payout is that it's supposed to be a way to compensate white hat hackers and dissuaded them from going to the black market with security problems like this. Given the business that LastPass is in wouldn't you agree that it's extremely crucial they make sure white hat hackers are aptly compensated for serious problems they find? In fact I'd think it'd be reasonable for them to pay more than Facebook for certain classes of bugs(like this one). After all all your passwords are more valuable than your Facebook account.

[tptacek]

No, that is not at all what a bug bounty is meant to do. We are not expected to pay people to avoid them launching criminal conspiracies against us.

The purpose of a bug bounty is to incentivize researchers to target specific pieces of software so that vendors can benefit from that attention.

[jontas]

Let's assume that there is a spectrum of honesty (say, from 1-10) and the pool of people capable of discovering vulnerabilities in your product includes people from the entire range.

If you're a 10 you will disclose responsibly regardless of a bounty, and if you're a 1 you will disclose to the highest bidder. The rest will weight profit, ethics, and risk in some ratio depending on where they fall on the scale and decide to act based on that calculation.

The company has to price their bounty on a few factors: how much they can afford to pay, how much a bug is worth to them (eg damage to their reputation, fines in the event of a vulnerability), and how important it is and to have researchers looking at their product instead of another product.

I agree with you that companies should not be required to pay people to prevent them from launching criminal conspiracies. But this is not a perfect world and people are not so black and white in their actions and motivations. There is no point trying to optimize your bounty program for the 1's or the 10's. Therefore, when optimizing for the rest it makes sense to pay as much as possible within the constraints I mentioned (in the previous paragraph) in order to tip the scales in your favor for the largest part of the spectrum possible. Right now the tech community knows about this problem with LastPass. If this exploit had made it to the wild things would've been much worse for them from a PR perspective.

I am hoping that the $1000 cap on the bounty program came from careful consideration of these factors, but my gut tells me it was a number handed down from management.

[Houshalter]

The point is to get more tens to even look at the code, not encourage people that have already found vulnerabilities to share them. I also think you vastly overestimate the percentage of criminals.

[K0nserv]

I think it's a bit of bucket A and bit of bucket B. Still even if one accept the definition you put forth the argument that having such low bounties makes LastPass look bad/like they're not caring is still valid.

[tptacek]

No, it is not at all "bucket A" and "bucket B", and suggesting otherwise is a grave insult to hundreds of researchers who would never dream of attempting (and, of course, inevitably failing) to "sell bugs to the black market". Finding interesting vulnerabilities in software makes you clever and talented, not sociopathic.

[lkbm]

> and suggesting otherwise is a grave insult to hundreds of researchers who would never dream of attempting (and, of course, inevitably failing) to "sell bugs to the black market".

No, suggesting otherwise is saying that a bounty program with high enough rewards can reach both legitimate security researchers and sketchy folks. This is in no way a slight on the first group.

[cloudjacker]

What he's saying is "raise the bid"

Your rationale would be a valid rebuttal in your world no matter what the amounts in question were. $500? Incentive! $50? Incentive!

[tptacek]

This is a non-sequitur response to my comment, whose whole purpose is to point out that a bug bounty is not a bid in an auction against organized crime.

[cloudjacker]

You wish it was a non sequitur when it is completely relevant

We can agree to disagree because the perspective really wasn't for you, it was for everyone else reading that will share a sentiment they've felt but never articulated

[PeterisP]

In practice, in many cases, bug bounties are de facto a bid in an auction against organized crime. It doesn't need to be 1-to-1 equivalent bid, and it's not for all sources of found bugs, but the intent and the effect is definitely there.

[zaroth]

There are many people capable of finding this specific bug and reporting it who might be motivated to take a look by a bug bounty, but who would never even consider trying to sell an exploit on the black market. I agree there is one cohort where you are trying to offer them an alternative to illegally monetizing their exploits. Then there is another cohort who you are just trying to encourage them to spend some time with your code versus someone else's. I could only guess at the relative sizes of the two groups, but the optimist in me thinks bug bounties are less about the former than the latter.

As we can see from avlidienbrunn2's response [1] sometimes it's not about the money. It's just fulfilling a natural curiosity about a product, maybe getting your killer write-up of a shocking bug to hit the top of the HN frontpage, etc. So in this case perhaps the bounty program is as much about establishing a legal structure for a whitehat to operate under than to fairly compensate ad hoc pen-testers. I wish they paid 10x or more for this bug. But I'm glad at least pen-testers can report these bugs without [as much] fear of reprisal.

[1] - https://news.ycombinator.com/item?id=12171753

[K0nserv]

I agree with the cohort theory, but to me it's not so much about the risk of someone selling an exploit on the black market, all though it's still a risk. To me it's more about how it reflects on a company where security is key to their product. Low bounties kinda gives of a vibe of not caring about the security of their product and maintaining it.

Personally I lost a lot of confidence in them when they got acquired and switched to 1Password, paying very low bounties for critical security flaws further hurts my confidence in them.

[tptacek]

Most companies, including companies far more security-sensitive than LogMeIn, pay no bug bounties at all. Meanwhile, the companies that pay the largest bounties are themselves routinely harangued online for underbidding the black market --- despite the fact that outbidding crime is in no way the purpose of a bug bounty.

From my vantage point, the logical conclusion to the comment you just wrote is that companies should avoid offering bug bounties. They just attract negative attention.

(I won't use LastPass, and have recommended 1Password --- but Tavis Ormandy is looking at 1Password right now, and I'm guessing they're going to end up disappointing HN too.)

[K0nserv]

It's true that not all companies pay bug bounties and you might very well be right that paying them, especially if they are much lower than other companies that operate bug bounties, might have a worse affect on public opinion then not having bug bounties at all. To me it's still concerning that Facebook pays 10x more for problems that are less severe and it does still make LastPass look like they don't care as much in comparison.

[dzmien]

Wouldn't a true white hat hacker report the bug no matter what the bounty? Therefor, the bounty is in place to encourage black-hat hackers to report the bug instead of trying to profit from exploiting it. But I do agree that it is in a security company's best interest to offer high dollar sums for reporting crucial bugs. I am just arguing semantics :-)

[throwawayReply]

It isn't a choice between "bother to submit or not", it's a case of a white-hat might be encouraged to look into this product rather than another product because of the bounty.

So the end effect is more bugs found by "white hats" rather than "black hats" because the bounty has focused the "white hat" efforts on your program. (Or encouraged them to look at all.)

I'm likely to poke around a site with a bug bounty even with small sums just because it hints at a more formal process and also likely means they have a sensible policy about not going after testers.

Bug bounties are as much about signalling than encouraging "black hats" to suddenly turn to the light side.

[ufmace]

I mostly agree, but I would say that if the amount of a bounty affects your decision on whether to responsibly disclose it or sell to the highest black-market bidder, then you are at the very least a grey hat.

[jerf]

"On the other hand, using regexp to parse the URL when it's such an obviously security critical code path... just, why?!"

Why not? URIs are at least able to be tokenized perfectly well by a regular expression. You have to do it right, but there's little guarantee that your non-regexp code will do it right either. I glanced at that regexp and immediately recognized several potential problems with it... will I be able to do that with your non-regexp code?

To concretize the "several potential problems": 1. You generally don't want to parse arbitrary protocols, you should do something like (http|https|file) or whatever set of protocols you are ready to receive. Usually you're better off treating anything else as "not a URL", but consult your local security context for details. 2. Failing that, you want at the very least .⁎? to stop matching at the first :, or if your engine doesn't have that, the protocol ought to be matched with something much tighter like [a-z]+. And I do mean + and not ⁎, because you probably don't mean to support an empty protocol before the colon. (You may mean to permit URLs with no protocol, but that's (.⁎?:)? .) 3. Domains should be parsed more tightly than "not a slash". 4. Also, I have no idea what the @ was doing there. Perhaps it was trying to be $; URL parsing should always end with the "end of string" matcher to avoid problems similar to this. It should also start with the start-of-string matcher, which this one doesn't, for similar reasons. 5. Bonus critique, anything using regular expressions to URL-encode or decode is very suspicious; strongly prefer built-in functions that do this.

I literally saw all this faster than I could type it; does your non-regular-expression based code have this property?

Regular expressions aren't bad. They're hard to write properly, but still probably easier to write properly than anything else. It turns out the underlying problem is fundamentally hard.

(Had to use an alternate asterisk to get the RE expressions correct with HN trying to format it.)

[0xbadcafebee]

Heh.

https://mathiasbynens.be/demo/url-regex

https://lostechies.com/chadmyers/2010/11/20/parsing-a-url-wi...

https://stackoverflow.com/questions/27745/getting-parts-of-a...

What do all these have in common? They all demonstrate that it is hard to write a regex that parses URLs.

Regex's hide programming mistakes because they not only become harder for humans to parse as they get more complicated, but also there isn't simple programming code to handle potential security vulnerabilities in-line with the code. It also hides the [at least] two considerations of secure programming: designing a secure function, and handling the function securely.

[jerf]

It is hard to write code that parses URLs, period.

You can't look at regexs in isolation, see that a task is hard, then declare them unfit. You have to consider them as one of the many choices and analyze the cost/benefits of the whole suite of options.

I guarantee you that anyone who has said "Oh, gosh, this is hard, I'll just start using indexOf and substring operations" has written code that is just as broken, only in ways much harder to tell.

Which is probably why everyone here thinks it's better to not use regex. You didn't write better code... you wrote code that hid its brokenness better. That's not a good thing!

Again, my real point here is not "regexes are awesome in every way"... my point is that I literally glanced at that code and saw several ways in which it was wrong. Does your alternative have that property?

Also, some of the difficulties of regexes are accidental, not essential. Take something like the recent Perl 6 efforts for parsing and you're far better off in every way using that stuff than trying to bash together string-manipulation-based parsing, or whatever other alternatives you may be thinking of. The Perl 6 constructs will be more readable and more maintainable. (Perl 6 is crazy in a lot of ways but the parsing support is best-of-breed.)

[bad_user]

Regular expressions describe finite state machines and in programming there's nothing simpler than finite state machines / finite automatons. Your handling of vulnerabilities inline is anything but simple. This is CS 101.

[peterwwillis]

The handling of security is anything but simple. Hence, a simple solution is anything but secure. This is Security 101.

[bad_user]

I can't even parse that. First sentence is false. Second sentence wouldn't follow from it if it were true, but then a false sentence can imply anything. And I've literally taken Security 101 in college.

You might also want to check the definition of "simple". Probably doesn't mean what you think it means.

[pmarreck]

> using regexp to parse the URL

A while back I whipped this up: https://gist.github.com/pmarreck/2956396

which seemed to work well (although it was a bit slower, I probably didn't know about exponential backtracking at the time and that could probably be revisited). It won't gather multiple name/value pairs though, but it will cut out and name basically every other part of the URL.

[greendestiny]

Wait what?

"Why not? URIs are at least able to be tokenized perfectly well by a regular expression."

"5. Bonus critique, anything using regular expressions to URL-encode or decode is very suspicious; strongly prefer built-in functions that do this."

[jerf]

Encoding or decoding is not tokenization.

And the problem is probably more accurately stated as "be suspicious of any function implementing encoding or decoding" rather than focusing on the regex part. Use the correct standard function. Don't bash something together yourself. They're actually pretty easy functions to write if you know what you're doing, but it's even easier to use some tested already-existing function. In fact, it's so easy that the fact that you see someone bashing together a URL encoding or decoding function almost certainly proves that they don't know what they are doing, which in turn means the URL encoding or decoding function was written by someone who doesn't know what they are doing. Unsurprisingly, these are, well, to quote myself, "suspicious".

Yes, that logic applies to URL parsing as well! Unfortunately, browsers make URL parsing extra hard, which is really stupid, so you end up with more crap in Javascript than anywhere else. Even then you ought to prefer someone else's tested solution over just smashing out a regular expression; however, it is not a knock on the tested solution if it is a regular expression-based solution.

[ebbv]

> Why not?

This article is a perfect example of why not.

[icebraining]

you can't complain after the fact for earning the maximum payout

Why not? Sure, you can't accuse them of being dishonest, but why would simply announcing an action make it beyond reproach?

[avlidienbrunn2]

At the time I submitted this, they didn't even have a bug bounty. Considering that, I think $1,000 is great :)

[estefan]

I think paying only $1000 for a potentially company-imploding bug like that is incredibly short sighted.

It's far too low to motivate a lot of people to look for bugs, and to me suggests they're not serious about protecting their reputation if someone does find such a company-destroying bug.

[tptacek]

HN has weird beliefs about the company-imploding properties of all sorts of bugs, from this to CSRFs that let you delete photos from Facebook. After all, a competitor could use it to erase all the photos on Facebook and then take over the market!

That was an actual argument on a thread about Facebook underpaying bounties.

[embik]

To be fair, this bug is pretty nasty because it allows anyone to get all your stored passwords. That's like the core business of LastPass. LastPass leaking your login credentials for e.g. online banking is really not comparable to deleting Facebook photos.

[tptacek]

How does paying extra money address the underlying concern that LastPass has absolutely trivial regex bugs that entirely defeat the security of the product? I agree that the bug is terrible, but the bounty and the impact of the bug to the company are largely orthogonal, unless the bounty includes a confidentiality term.

[embik]

I guess the point people (including me) are making is that it should pay off to do the right thing and report a bug that is capable of killing your (core) business. While OP obviously is a honourable person, others might not be and are more interested in getting money than doing the right thing.

Of course it's illegal/wrong to sell an exploit to third parties, but that doesn't stop people from doing illegal things as long as they get money for it. You just don't know about the issues that are sold because that's obviously not going public.

[k__]

They sold their future. The next bug will be sold to the highest bidder.

[onion2k]

People find and disclose bugs regularly even where there isn't a bounty. Most (at least 99.99%) developers don't want to see a useful, successful product fail even if they can personally gain from it. The likelihood that an exploit for Lastpass will be discovered by an attacker and sold to a nefarious actor is very small.

Further to that though, we now know that this problem is fixed in LastPass. We don't know about other password managers. To that end, LastPass is now a better option than it's rivals.

[microtonal]

To that end, LastPass is now a better option than it's rivals.

Only when you believe that all password managers are equally secure from the start.

There are many reasons to believe that this is not the case. Storing passwords in a cloud service is quite a red flag. Then there is a former employee stating on Twitter that part of the codebase is very neglected:

https://twitter.com/ejcx_/status/758081553712820225

[v0x]

I never understood why security-conscious people would choose to use a service (e.g. Lastpass) that stores all of your passwords in the cloud. Why not just use KeePass instead? Yes, it's a little bit more hassle, but all of the other password managers have been subject to serious exploits like the OPs that put people's data at serious risk of compromise.

[r1ch]

Bounties aren't just monetary motivation - they show that the company understands security and responsible disclosure. For example, I've found pretty bad flaws in some white label web-based CCTV DVR software (privilege escalation and session hijacking). I went to the company website and couldn't even find a technical support contact. Given there's no bug bounty or other evidence they take security seriously, I don't want to risk sending this to the wrong person and receiving legal threats etc so it will remain undisclosed.

[zaroth]

I have become a bit of a skeptic -- we know that a problem like this existed in the code-base and is now fixed. So, should we then conclude that LastPass is now "more secure" because of it, or is the existence of this face-palm bug in production code actually evidence that LassPass is "less secure"? Certainly I would not go so far as to claim that this bugfix somehow makes LassPass a better option than its rivals.

I put more/less secure in scare quotes, because my point is really that fixing one particular bug certainly closes that one particular attack vector, but security is not a progress bar that goes from 0 to 100.

What this write-up does in my mind is really highlight the risks that come along with using a complex piece of software to manage your passwords. We tell users they can use password managers to safeguard their passwords and increase their security. We talk a lot about the usability trade-offs which password managers entail, but perhaps not as much about the security trade-offs!

[tptacek]

It depends on the nature of the bug, right? In this case, the bug would make me much less likely to ever recommend LastPass.

[3minus1]

> Further to that though, we now know that this problem is fixed in LastPass. We don't know about other password managers.

Um...it was a really stupid mistake. Writing your own bug-prone regex here instead of using an existing, trustworthy function is just really bad. Especially when the consequences of a bug mean a hacker can steal someone's passwords.

You should really hope that any company that prides itself (and bases itself) on security would never release this bug. It absolutely lowers the reputation of lastpass.

[thruflo]

Perhaps LassPass users might like to donate to show their gratitude -- after all, you just protected an awful lot of people's passwords.

Have you got a mechanism you could post here for them to do so?

[avlidienbrunn2]

You may donate by spreading the word about multi-factor auth :)

[sundvor]

I wish I could upvote more than once. :-) Good on you, great reporting and all. Thanks for keeping my passwords more secure! And yes, I need Google Authenticator to log into my Lastpass.

[lorenzhs]

That's a great response. I really like my Yubikey (Neo) and wish I could use it with more sites.

[y04nn]

The fact that LastPass consider that a flaw in their system that could have put them on their knees is only worth 1K is quite frightening if you are relying on them for your security.

[crdoconnor]

Exactly this. I'm abandoning them now.

[SaturateDK]

I want an alternative, got a good one?

[Alpacalex]

If you're using a *nix system: https://www.passwordstore.org/ I switched over from LastPass a few months ago. It uses gpg for encryption and supports git for password syncing between systems. Pretty simple to set up and use. There are quite a few third party apps for it already (both desktop and mobile)

[veeti]

Does this still have the problem of leaking metadata (site names, etc.) in plain text? I don't want to manually obfuscate them.

[nilved]

If you don't like manually obfuscating things, just keep your passwords in a txt file.

[oslavonik]

I've been amazed by Pass, but couldn't find a thorough review between Pass and KeePass(x). Is one safer than the other?

[haasn]

`pass` is based on well-established cryptography implementations: GnuPG. GnuPG is recommended by many security experts and used widely by journalists dealing with sensitive disclosures, e.g. the edward snowden documents.

It also doesn't try to NIH some complicated database format or syncing technology but instead uses well-established software (git, plain directory structure and gpg-encrypted text files) which makes it robust, flexible and future-proof, and also responsive to changes in cryptography as it benefits from upstream GnuPG updates. You can use any PGP key structure you want, or even hardware PGP devices like the YubiKey.

KeePass on the other hand seems to be based on mostly homegrown techniques written by people with no or limited understanding of cryptography. (see e.g. [0]) That said, I don't know how much KeePassX continues this trend - but it's based on the same file format so it presumably has to reimplement at least some of KeePass's homegrown crypto.

I don't know how much more convincing you need, but personally I wouldn't even dare consider using anything other than `pass`.

[0] https://news.ycombinator.com/item?id=9727297

[slavik81]

One big difference: pass only encrypts the password. All metadata is plaintext, so anyone can see a full listing of what online accounts you have.

[embik]

pass is as safe as your gpg installation and your gpg key because that's the encprytion it uses.

[grewil2]

I tried LastPass, but didn't trust them, so I found https://www.passwordstore.org/ some year ago. I can't emphasize enough how good it is, mainly because it is so dead simple and transparent in how it works, and also because it has great bash integration, and uses git which makes it easy to sync between your machines. There is also a firefox plugin that integrates with it, but I don't really see that you need it: it is so easy to use at a prompt.

[daddykotex]

I use password store to, and it works really well. I'm on MacOS but having it to work under Android and Windows was a breeze.

[etatoby]

That's brilliant, thanks a lot!

I never trusted "cloud" (read: not yours) password stores. I have been using KeePass and manual syncing, but I had my doubts about it too.

This looks perfect and simple!

[imglorp]

Don't use anything that runs in the DMZ (browser), if you care about your secrets.

I use keepassx, which requires manual search, copy, paste but it can store its vault on a cloud drive, mobile etc. and can have a key file or password.

[cowkingdeluxe]

Worth mentioning that one of the major benefits of Keepass is that it is open source. Many of the other providers mentioned here are not.

[chrisper]

What do you mean? Autotype is available in KeepassX.

[riskable]

Autotype is a bit risky because it assumes you've got the correct window/element focused. All it takes to expose your passwords is for a pop-up (e.g. instant message) to appear at the right moment.

Even if you don't hit the enter key/submit the form it is still possible for that incorrect window/app to grab your keystrokes.

[mabcat]

I switched to 1Password after Lastpass got acquired. I obviously have no special knowledge how secure it is but it's serving me well. OSX browser integration excellent, iOS integration mediocre.

[jxpx777]

Disclosure: I work for AgileBits, makers of 1Password.

If you're interested, all our data formats are well documented for review: https://blog.agilebits.com/2013/03/06/you-have-secrets-we-do... You might also be interested in the security white paper for our hosted 1Password service: https://1password.com/security/ (White paper is linked at the bottom of the page.)

[niij]

How easy is it to migrate from Laspass to 1Password? I've had the worst experience with their tech support (reported 2 bugs that have both been scrapped as WONT FIX) and really don't want to support them as a premium subscriber anymore.

[gnufied]

Long time 1Password user here. I use it on bunch of Machines and I wish you guys supported Linux. :(

Heck 1Password mostly works under Wine, except perhaps there is no unlock on Secure desktop and bunch of other usability things.

[pwenzel]

I have been using 1Password since version 3 and highly recommend it. I personally am quite happy with the iOS support, synchronization, and mobile Safari extension.

[julsimon]

Dashlane is really good. Running 100% in AWS and leveraging a lot of their security features.

Here is their security white paper : https://www.dashlane.com/download/Dashlane-Security-Whitepap...

[jontas]

I just read the whitepaper (I am a long time Dashlane user) and they have a section on security of their javascript/browser extensions. They say that their extensions all use c++ so execute entirely outside of the javascript context. This would not have prevented the Lastpass exploit since all that was required as a malformed URL, but it is nice to see that Dashlane is thinking about this stuff. Also, had Lastpass not used js this exploit would've been harder to find (though not impossible).

[dashlanesupport]

Hello Julsimon, this is Simon from Dashlane's Support team. Thank you for your feedback. We have indeed ran multiple checks on our end and can confirm that we are not vulnerable to this type of issue. The code used for our auto-fill functions is shared on all our platforms and has been audited multiple times.

[scandox]

I've been using Pass for several months and I love it. https://www.passwordstore.org/

[pwenzel]

Within Pass is there a best practice for sharing passwords with another person or team?

[scandox]

I don't know about best practise but it integrates closely with Git. I store the encrypted passwords in a remote git repository. That means if someone else had the same GPG key and the password for that key, they could simply clone the repo and obtain the passwords. Equally they could add passwords and push them to the repo.

So that seems like a reasonable way for people to share them. However, I only use it for myself so I may not have thought of all the gotchas.

[chyle]

Check out Enpass password manager. https://www.enpass.io/

I found this alternative when LastPass was acquired by log me once. I was not happy with this. This app doesn't have hacking or vulnerability history like LastPass.

They also have a dedicated import for LastPass. https://www.enpass.io/docs/desktop-mac/import_lastpass.html

[tedmiston]

1Password is very nicely integrated if you're on a Mac and/or iOS. It's not free like LastPass, but I consider it a reasonable one-time* purchase.

*every few major releases

[crdoconnor]

KeePass, but I'm not 100% on that one either.

[toxican]

Why not? I've been using it for about a year now (switched from LastPass) and haven't had any issues. Kind of miss the in-browser features of LastPass, but seeing as how those are what's being exploited, maybe not so much!

[theandrewbailey]

There are browser extensions that work with KeePass. This LastPass vulnerability makes me wonder, too. I wish the KeePass site would be 100% HTTPS, though, but the maintainer is a jerk in that regard.

[_ea1k]

I use KeePass as well, but I have never tried it with a browser extension. That seems a little dangerous to me.

[ajdlinux]

Any good alternatives for LastPass Enterprise-style multi-user sharing?

(Apart from "don't use services that require you to share passwords for a single account". Alas.)

[winsome]

My team and I have been using 1Password Teams (https://1password.com/teams/) for this. They also have a Families service if for some reason you want to do the same thing with family and friends.

[greenshackle]

Does it need to have Windows client? I'm guessing yes. If not there is [SFLVault](http://sflvault.org/)

[ClayM]

I switched myself and my family to use 1Password Family. Been very happy with it. Syncs across all user and devices (except IE lol)

[riquito]

enpass.io, it supports pretty much every platform

[gourou]

Work on your memory, it's very hard to hack.

[Xylakant]

That's a very bad recommendation. Very few people are capable of remembering unique 10-character passwords for each site. I have like 100 passwords and accounts for various systems and I'm certainly not able to remember each of them. So either I start reusing passwords or I use a password manager.

[chatmasta]

You can vary the password based on the domain name with a predictable algorithm that only you know.

[e40]

For work and home I have nearly 500. The GP recommendation is absolutely terrible advice.

[retox]

No one is under any obligation to provide bug bounties.

[icebraining]

And no one is obligated not to take that into consideration when deciding whether to use the product.

[jug]

No, exactly -- at their peril.

[pmx]

I was surprised by them giving such a tiny amount too. The potential damage to their users here is staggering. If this was used to grab someone's twitter,facebook,email,linkedin an attacker could take full control of their online presence :S

[jrockway]

Let's do a little calculation to see if the payout is worthwhile.

Using something illegally means you run the risk of going to prison. Let's say there's a 1% chance you get caught, the prison sentence is 10 years, and the evil hackers will pay you $20,000 for your bug. Let's also say that you're a mid-career software engineer in the US, and over the next 10 years you expect to make $2M (after taxes).

This means your expected outcome over 10 years is $20,000 + (0.99 * $2M) = $1.98M. With Lastpass's bounty you end up with $2.001M.

With these assumptions, you should be paying Lastpass to find bugs in their software! Of course, if you're not in the US, you probably make a more reasonable salary (read: less), taxes are higher, and the risk of getting caught is lower.

[virtualwhys]

> over the next 10 years you expect to make $2M (after taxes)

That would be $300K per year pre-tax (assuming current 2016 tax rate of 33% for the 200-400K bracket). Is that really a normal mid-career salary?

I need to change jobs if that's the case...

[superuser2]

At elite big-name tech companies in the Bay Area, if you're selling your stock as it vests, that might be a little high but in the ballpark.

[overcast]

Now let's bring that salary estimate back down from outer space. $200,000 per year TAKE HOME, is not realistic, except for the very top percent of developers. And I'm talking the very top.

[Donzo]

There is also the reputation boost that the researcher receives for discovering this exploit and disclosing it in a responsible manner. The value of that is incalculable.

[fulafel]

In most places doing gray/black-hat things rarely results in going to prison, especially for someone who hasn't been convicted before.

https://en.wikipedia.org/wiki/List_of_computer_criminals paints a picture that prison time is mostly a US-only thing.

[00098345]

You are approaching from the wrong angle. How much was the exploit "worth" to the company?

Some people want to watch the burn. An attacker could make it known anonymously and LastPass will never recover from that onslaught.

[teekert]

Is it still illegal when Lastpass actually stimulates you financially to pry into their systems?

[vertex-four]

They authorize you to pry into their systems if, and only if, you report security bugs back to them. If you don't, they don't authorize you to pry into their systems, and it's illegal.

[downandout]

>If so, I am a little taken back by LastPass only offering $1,000 to the researcher that found and reported it for fixing.

I am a lot taken back by it. This wasn't a minor bug. I don't care if $1,000 was the published maximum payout under their bug bounty program - for something like this, the payout needs to be representative of the damage that would have been done to their reputation had this bug been discovered and exploited by bad actors. Given that reputation is everything in this space, any well-publicized incident using this would have effectively rendered the company dead within days.

Here's hoping they reconsider the award amount (though I'm certain they won't).

[maze-le]

Yes, my thoughts exactly. He could had made 100x that money on the black market, so no wonder we still have problems with 0days traded there.

How long would you work for $1,000? Some days, a week, two? If you spend more than a week on this problem it seems not worth to report it... On the other hand, if you set the incentive for bug bounty too high I imagine all sorts of cranks pop up, that want to show off bugs that are not there, and resources will be bound to this task -- they have to be verified, and analyzed even if its a bogus report (and in the worst case it will not accomplish anything).

Where is the middle ground?

[RangerScience]

"You agree not to disclose the full amount awarded you as part of this bug bounty award contract."

[estefan]

If the full amount is <=1000 it's irrelevant what you're actually awarded for a bug as serious as this.

[RangerScience]

Oh, no - I mean, if you want to reward people fairly, but not get a stampede to your door, tell them to report a smaller bounty than was received. They can spread private word to their network (presumably, other people who are going to actually be correct) but still provide hooks to the public.

Probably doesn't work out, but it's what came to mind as a way to deal with the balancing act.

[bluedino]

> How long would you work for $1,000? Some days, a week, two?

You might not work for long on a $1,000 problem, but other people sure will. College or high school students, people in a country with low salaries such as Ukraine...

[pmarreck]

He could have basically killed LastPass, the company, if he didn't go white-hat. And caused all sorts of other mayhem that would also have been far more profitable for him.

It does seem like an extremely low bounty for a security bug that severe.

I mean, in a 100% libertarian world, this hole would have been put up for auction to the highest bidder and LastPass would have had to ensure they were the highest bidder in order to close up the hole and basically save their business.

[hrrsn]

Seems like LastPass' bounty program is a joke. Their max reward is $1,000.

https://bugcrowd.com/lastpass

[thrwawayask]

Hi, newbie sec researcher here. Just wanna ask, how do we actually ask for a bounty considering that sometimes the severity of the breach is BIG (this, Shell Access, etc).

I really don't wanna ask the companies for money but it just seem so... underwhelming for me. (3 out of 3 rather big companies just gave some thanks)

[rando444]

No matter what it is, you don't just give someone something they didn't ask for, and then expect money in return.

It would be like someone walking up to you on the street, handing you something they think is valuable, and then hoping that you'll want it and pay them for it.

The first thing you should do is check and see if they have an official bug bounty, if they don't then contact them and ask them if they had one.. say something like "because you saw some things on their site that concerned you, but wanted to know if it was worth the time exploring further" .. this is assuming you already found something. The goal of this is to get them to try and offer a bounty.

If they don't offer a bounty, then if you want to be responsible, you can just disclose their vulnerabilities to them, and accept whatever thanks you get.

If you're explicitly doing what you're doing to try and get some money out of it, then your time would be better spent focusing on companies that have well published bug bounties.

[Dwolb]

Something to consider is a mis-alignment of incentives.

When LastPass gets breached, they're not directly responsible for what an attacker does with the passwords.

When another site/service gets breached, they have to spend a lot of time making it right to the customer again (e.g. rolling back transactions, compensating for lost or stolen funds, etc.)

[ghurtado]

I don't think of the bounty as a reward for choosing not to break the law. Staying out of jail is the reward for not breaking the law; the $1000 is just a token of appreciation for someone that could have otherwise not bothered to report the bug.

[ktta]

>Staying out of jail is the reward for not breaking the law

I think it works the other way around.