LogMeIn Heartbleed Extends To Personal Computer Passwords

Dave Zatz —  April 15, 2014

logmein-openssl

As you’ve probably read during your recent Internet travels, an OpenSSL vulnerability was uncovered that puts server data at risk. Many prominent sites have since corrected the issue, dubbed Heartbleed, and its been advised that web passwords be changed. Yet, LogMeIn just reached out with an interesting twist — they believe their server infrastructure to be sound at this time and don’t require a cloud password change. Yet it’s possible our local computer passwords were put at risk, given how data is relayed:

  1. Change your Windows PCs or Macs passwords – This is for your computer login credentials only. You do not have to change your LogMeIn account login.

The real world risk of compromise based on this vector is probably minimal, especially if you use distinct usernames and passwords. But consider this an Ides of April PSA: Update your LogMeIn client software and contemplate changing your computer account password as LogMeIn continues to evaluate their (our) exposure:

In addition, our security team continues to perform a rigorous diagnostic investigation to ensure the protection of our users, and will provide additional product-specific updates if necessary.

10 responses to LogMeIn Heartbleed Extends To Personal Computer Passwords

  1. What on earth does this mean? Telling me to change my LOCAL MACHINE password, that is ridiculous

  2. “What on earth does this mean? Telling me to change my LOCAL MACHINE password, that is ridiculous”

    It’s not ridiculous at all. How do you think the architecture of LogMeIn type services work?

  3. It’s the age old sliding scale of security/convenience… Unlike a direct VNC connection, LogMeIn must act as a broker and pass our credentials. But is LogMeIn’s concern that they could have been intercepted or do they cache them in some way? Perhaps the client software utilizes OpenSSL? Hm.

  4. “But is LogMeIn’s concern that they could have been intercepted or do they cache them in some way?”

    Dunno. (But given that they seem to feel their servers are safe, it’d argue against the cache interpretation.)

    But, of course, if OpenSSL was involved anywhere along the chain, then local machine passwords certainly could’ve theoretically been intercepted.

    (And this is why I never used LogMeIn…)

    —–

    Here’s my favorite Heartbleed-apocalypse story of the day:

    “If a certificate authority has to revoke 10,000 certificates, that entry will have 10,000 certificates on it,” Mutton said. “And if browsers have to download that . . . we’re talking hundreds of megabytes.”

    It’s roughly the equivalent of having to download 30 minutes’ worth of standard-definition video just to view a single Web page.

  5. For all the agita Heartbleed is causing, it should be seen as good preparation for when Skynet gains self-awareness…

  6. Can someone explain to me how and openssl compromise could have compromised one’s local machine windows login or mac machine login credentials? I’m not talking about the logmein local machine credentials or the local machine logmein webapp credentials?

  7. I think a reasonable assumption here is that there is an https server enabled on your local machine by LogMeIn which interestingly enough uses OpenSSL. Interesting in that if they used native Windows services the OpenSSL libraries wouldn’t have been used. The reason for this is probably to make it easy to get by the firewall, since control traffic that wasn’t http-based would likely be blocked by default. Or whatever. Anyway, they apparently installed an https server on your personal computer. Similar to the problem now showing up on various Android handsets…

    BTW Dave, nice catch. I don’t think LogMeIn reached out to me actually, and interestingly enough, the LastPass Security Challenge flags LogMeIn as still being exposed since their certificate is 10months old.

  8. Oddly, when I got to logmein and click on the icon/more info/view certificate I see one issued on 4/10…

  9. The perspectives plugin for Firefox also shows the hash for the public key that LogMeIn uses changed about 7 days ago, so I’m pretty sure LogMeIn did the right thing, regenerated their private/public key and reissued their certificate. Like they’re supposed to. Looks like the LastPass info is wrong.

  10. While we continue to wait for some possible explanation for how LMI could have compromised the local machine OS login username and passwords, this little tid-bit has me slightly more concerned.

    http://arstechnica.com/security/2014/04/confirmed-nasty-heartbleed-bug-exposes-openvpn-private-keys-too/