 So I'll have my coffee this morning. I realized there was a tweet from Tavis Ormandy and Whenever he tweets it's usually something pretty interesting, especially when it's in regards to last pass He has long been poking away at last pass, which is one of the reasons I like the product Yes, a flaw was found. Yes, the flaw was fixed So don't worry you're safe as long as you're not bypassing or stopping updates from coming through to your system Including your standard Chrome updates your Chrome browser updates your Mozilla updates and your plug-in updates as long as you're not stopping them You're fine. So we'll at least clear that up right now second Why do I keep using last pass if there keeps being flaws found in it? And this is where people have a big misunderstanding of security all the time They assume because they flaw was on their product the product therefore should not be used I Prefer products not that have flaws in them, but that have security researchers like Tavis Ormandy Constantly poking at the code last pass has also gone through pretty extensive code reviews These are important aspects to any product whether it be hardware or software if it has any software on it at all That runs that hardware You want a strong security research team to do code review to constantly be checking it for bugs And you can't just assume because some new product is on the market and has not been hacked that it is secure It is not secure until it has gone through a lot of testing and even then it's whether or not those testers were able to find it So that is a really subjective thing of just how good these testers are Tavis is one of the best in the business and works for Google's project zero Now this particular bypass was a little bit interesting So last pass could leak the last use credentials due to a cache not being updated This is because when you can bypass the tab credential being Cache being populated by including the login form in an unexpected way and the code is actually a little bit interesting So the concept is that if you go to accounts like Google comm and prompted to click the password dot dot dot and fill it in And then go to example comm I know what they're doing is saying that if you have it filled in but sitting there is now cash because it's in there But you haven't logged in yet to clear the cash Then you enter the council over on another one another site for example example comm And it would be able to see the credentials that were pulled for the previous site So it's kind of there is a high severity level to this But it's also a little bit tricky to do and he didn't have at the time of recording right now a Proof of concept put up but he just figured out how to wait automatically compare these until it succeeds and Basically, what this is where it gets a little bit trickier is to take another URL like any Subdomain of the URL you were logged into to help hold those credentials forwards And then I frame them into another piece and like I said leave links to all this you can read through and This will get updated if Travis proofs post this proof of concept down here But what I really wanted to talk about you directly related to this is that whole concept of Because there's a flaw found you should stop using the product now that depends on how those companies respond There's a lot more to security than just a flaw found stop using it a flaw found company responded properly and they did Travis went through the proper disclosure method of Finding the bug creating a proof of concept, you know, basically you have to prove that this is real Submitted it to the teams over at last pass last pass looked at it go that's valid and we understand the flaw We understand how to reproduce it which is an important concept whenever you're doing bug bounties or bug hunting is being able to Reproduce the bug not having a one-off of not sure how it happened because that becomes really hard for the Programmers to fix but that proof of concept was put together to have us found it Last pass took care of it and update was issued now. It's all public disclosure and out open This is the cycle of security. This is an important aspect of it and like I said just because There's people poking at these products and then finding the flaws It's all about how these companies respond to the flaws will be the determining factor of whether or not that product stays secure And any product that doesn't have people poking at it does not mean it's secure So you could release some software today and make that bold statements never been hacked Never been a flaw found in a product But until these companies go through solid code review, they're really hard to trust This also makes it very difficult here to start new companies and Gain the user stress now There's always some people who go new product and jump on it, but I'm always very cautious on these especially when they're products that maybe Just don't have much market saturation. So there's not a lot of use There's not a lot of time that I have to poke at them that I'm really not a great pen tester It's not what I do you want the really high-end pen testers to go through do code reviews and really poke at it You want them to have a whole process over on somewhere like hacker one where they offer bug bounties to encourage Larger groups of people to poke at it and by the way when you're starting up a company, especially anything in the software realm This is part of the process now is having your code reviewed I talked about this before with keybase and they were very public about their code review took a while before they got to it But it also cost them a whole a hundred thousand dollars to do It is not arbitrary to do an extensive level of pen testing and code review on any particular product This is why I do like last pass. I I'm shocked that log me and has not destroyed them as a company So if any you were going but log me and own seven didn't they do bad things log me in is a um Not a company that has a reputation of doing wonderful products, but last pass has been one that I think they've left alone They realize it's a popular product. It has Excellent market share and with people like to have us poking at it They seem to keep their security up to date and they're still as responsive as they've ever been now For those of you don't know or why you use any password manager The password manager has to be a zero trust system last pass is a zero trust system For those of you wondering or trying to research that there's a few other ones out there like Bit wardens another one people have asked me to review and I just really haven't had the time to dig into it But all these are based on zero trust where companies like last pass do not have your password That's why all of these attacks are always occurring at the browser level because it is filling in passwords within the browser So anytime You have something filling in passwords within the browser itself because the decryption is happening on your side at your computer Because it's not happening at the last pass level That's why these attacks happen here. It's the only place they can happen They're not attacking last pass directly last pass by not having your passwords removes that piece of attack surface By going we don't have the password You got to check the browser and that's where tavis is really poking at it is within the browser And of course, this is a credential caching problem where you have filled into credentials, but haven't submitted them It's an interesting bug. Um, it's so exciting that last pass fixed this right away That makes me very happy because I see this could be exploited And we don't have any proof that this was or was not exploited in a while So we don't know no websites were found. This is just tavis working on his own research and going I wonder if and that's how a lot of security researchers work. They kind of poke at something and go I wonder if it would do this and when they find it, you know, there's a whole aha moment And then you turn into a proof of concept and a bug report So my conclusion is i'm going to still continue using last pass. I still trust it as a product I trust it more when I see people in security researchers poking really difficult at it And it's partly because of our market share. They're one of the biggest password managers out there So there's a massive amount of you know, people trying to gain an edge on last pass And of course that has interest in security researchers who also want to, you know Get their name and lights by finding a flaw in last pass and the cycle will continue and Every little, you know, whole close whole closed makes it just that much safe for a project. Thanks And thank you for making it to the end of the video If you like this video, please give it a thumbs up If you'd like to see more content from the channel, hit the subscribe button and hit the bell icon If you like youtube to notify you when new videos come out If you'd like to hire us head over to laurancesystems.com fill out our contact page And let us know what we can help you with and what projects you'd like us to work together on If you want to carry on the discussion head over to forums.laurancesystems.com Where we can carry on the discussion about this video other videos or other tech topics in general Even suggestions for new videos. They're accepted right there on our forums, which are free Also, if you like to help the channel in other ways head over to our affiliate page We have a lot of great tech offers for you And once again, thanks for watching and see you next time