People find and disclose bugs regularly even where there isn't a bounty. Most (at least 99.99%) developers don't want to see a useful, successful product fail even if they can personally gain from it. The likelihood that an exploit for Lastpass will be discovered by an attacker and sold to a nefarious actor is very small.
Further to that though, we now know that this problem is fixed in LastPass. We don't know about other password managers. To that end, LastPass is now a better option than it's rivals.
To that end, LastPass is now a better option than it's rivals.
Only when you believe that all password managers are equally secure from the start.
There are many reasons to believe that this is not the case. Storing passwords in a cloud service is quite a red flag. Then there is a former employee stating on Twitter that part of the codebase is very neglected:
I never understood why security-conscious people would choose to use a service (e.g. Lastpass) that stores all of your passwords in the cloud. Why not just use KeePass instead? Yes, it's a little bit more hassle, but all of the other password managers have been subject to serious exploits like the OPs that put people's data at serious risk of compromise.
Bounties aren't just monetary motivation - they show that the company understands security and responsible disclosure. For example, I've found pretty bad flaws in some white label web-based CCTV DVR software (privilege escalation and session hijacking). I went to the company website and couldn't even find a technical support contact. Given there's no bug bounty or other evidence they take security seriously, I don't want to risk sending this to the wrong person and receiving legal threats etc so it will remain undisclosed.
I have become a bit of a skeptic -- we know that a problem like this existed in the code-base and is now fixed. So, should we then conclude that LastPass is now "more secure" because of it, or is the existence of this face-palm bug in production code actually evidence that LassPass is "less secure"? Certainly I would not go so far as to claim that this bugfix somehow makes LassPass a better option than its rivals.
I put more/less secure in scare quotes, because my point is really that fixing one particular bug certainly closes that one particular attack vector, but security is not a progress bar that goes from 0 to 100.
What this write-up does in my mind is really highlight the risks that come along with using a complex piece of software to manage your passwords. We tell users they can use password managers to safeguard their passwords and increase their security. We talk a lot about the usability trade-offs which password managers entail, but perhaps not as much about the security trade-offs!
> Further to that though, we now know that this problem is fixed in LastPass. We don't know about other password managers.
Um...it was a really stupid mistake. Writing your own bug-prone regex here instead of using an existing, trustworthy function is just really bad. Especially when the consequences of a bug mean a hacker can steal someone's passwords.
You should really hope that any company that prides itself (and bases itself) on security would never release this bug. It absolutely lowers the reputation of lastpass.
