Renowned Google Project Zero security Travis Ormandy recently draw some flak from the tech community after he unceremoniously revealed some perceived vulnerabilities of the LastPass password manager. On the good side, the flaw was properly patched before being exploited by malicious users.
In a series of tweets, Ormandy hinted that he discovered a handful of flaws on LastPass. While the security engineer did not give the exact details of his discovery, many tech experts admonished his move. Experts said that he should have notified LastPass of the flaw before going public.
Ormandy's first tweet reads, "Are people really using this lastpass thing? I took a quick look and can see a bunch of obvious critical problems. I'll send a report asap."
About 10 minutes later, Ormandy tweeted that he has already informed LastPass of the flaw and advised people working with the company to contact him in order to work out a patch to fix the problem.
According to Tech Target, LastPass said that the flaw was only affecting Firefox users. The company later added that it is working closely with Ormandy in order to look for other vulnerabilities on its code in order to be properly fixed.
Although Ormandy may have good intentions in sharing his discovery, some security experts condoned his action of disclosing the flaw to the public before contacting the involved party. A recent review of the flaw revealed that when exploited, it could give start a "complete remote compromise" allowing hackers to access an infected account without physically accessing the device.
This is not the first time password managers like LastPass was in the hot seat for perceived vulnerabilities. In 2014, security researchers discovered gaping security loopholes in LastPass and four other password managers, according to Sydney Morning Herald.
In 2015, security researchers were able to inject a malicious program into the Apple App Store that could allow them to steal passwords and other sensitive user data from the OSX and iOS' built-in password management tool Keychain. It was also revealed that popular password manager 1Password was also compromised.
