Password service locks out hackers

Password service Lastpass simply blocks the IP addresses of users who test the site's security measures in a move which may very well cause collateral damage. Lastpass offers a central storage facility for passwords that are then made available to devices independently of browsers and platforms, via extensions and apps.

This rather unusual security measure was discovered when an editor at c't magazine, The H's associates in Germany, in preparation for an article, routinely fed a few input fields with character strings that would indicate if there were XSS or SQL injection problems at the site. Unfortunately, such security holes are still very common and would be unforgivable for a central password storage service. When a colleague of the editor tried to access the Lastpass web site a little later, he was only presented with the message that his IP address had been blocked due to suspicious activities.

Since all of the publisher's employees use a joint proxy to access the internet, it was this proxy's IP address that had been blacklisted, and this promptly blocked all Heise employees; the address was unblocked again after a short email exchange. However, the question remains whether such a blacklist is really a suitable measure for increasing a service's security levels. Apparently, Lastpass only introduced the measure after information on an XSS hole in its web pages was published on the internet; Lastpass had closed the hole the following day – a Sunday.

Talking to our associates at heise Security, Joe Siegrist from Lastpass said that his service doesn't generally object to users testing its site. However, Siegrist said that his company wants to make sure users will notify Lastpass of any problems first. He added that users should be aware that their actions trigger an alarm. Of course, the other remaining problem is that the measure not only blocks those responsible, but also third parties who aren't involved but use the same NAT firewall or a joint proxy to access the internet. This issue isn't limited to corporate networks. The users of mobile telephony services are usually also routed via such communication nodes when they access the internet. A few black sheep could, therefore, lock down entire mobile networks.

There is also the danger that perpetrators with criminal intent could embed code in web pages which will call Lastpass URLs with strings that are typical for XSS code. As a result, simply viewing a seemingly harmless page could, without any further input by the user, make a browser load these strings and trigger an alarm at Lastpass. However, Siegrist says that this risk is small because blocks are triggered manually rather than automatically via an Intrusion Detection System. He noted that extensions and apps remain unaffected, which means that users continue to have access to their stored passwords, Siegrist summarised his company's reasons for implementing the measure – "Essentially we're making it clear to hackers that we refuse to be an easy target".

(crve)