This person is the author of competing software and is attacking LastPass on a two shaky bases:
He reported the idea of a vuln to them 6 months before Taviso and they told him it’s not applicable because he didn’t provide an exploit. He complained about this and goes on to basically say “yeah but when Tavis did it they care! Waaah”. Think about it from a security triage perspective. You’re running a bug bounty and get a load of reports every day. Nearly all of these are bunk. You get one that says “there’s something here I know it!” and provides no evidence. You close it as non-exploitable and move on. If this guy cared he would have put in more effort instead of whining.
He trivializes LastPass' prompt responses and fixes as PR stunts instead of what they are: a company taking product security seriously and deploying effective mitigation right away. He complains that they don’t fix every case, just what was exploited/reported. Well, duh. Has this guy actually dealt with bug reports or does he code at the bottom of a well with a “do not disturb the grue” sign posted at the top? The first step is mitigating the immediate issue, then once the damage is contained you consider going back and reevaluating the architecture such that similar things can’t happen again. And for those of us working on real products, how often do you get the time to do such a thing and implement larger changes which may introduce new bugs?
I do agree with the ongoing critique that they left an old bug exploitable, but they fixed it promptly when it was reported again with a new exploit.
The fact is that LastPass has the best browser and Android experience. It’s why they keep getting customers. Unfortunately, by playing inside a browser you open yourself up to so much more attack surface than if you stayed as a native application. As a LastPass user I accept that risk when I install the extension.
[Comment removed by author]
I agree that it’s not his responsibility to audit LastPass but he took it upon himself to do so, filed a crappy report, then whined about it getting ignored later. That’s not how it works. If he wants to be taken seriously he needs to put in effort instead of half-assing it. Either do it or don’t, he chose to do it.
I like keepass because it’s a file type and not an “app”, has offered me so much portability across platforms and browsers