Travis Ormandy, a researcher at Google project zero, found some critical security flaws in the famous password manager LastPass which could allow hackers to steal passwords.
At first, it was the LastPass version 3.3.2 which was reported to have the bug. Mr. Ormandy hasn’t made his finding public until now, and it looks like LastPass team is currently working on a patch. However, things didn’t end here. Soon after the Lastpass officials fix the threat, Mr. Ormandy found another bug in the password manager.
We are aware of the report by @taviso and our team has put a workaround in place while we work on a resolution. Stay tuned for updates.
— LastPass (@LastPass) March 21, 2017
Mr. Ormandy pointed out that the version 4.1.42 of the LastPass (both Chrome and Firefox) contained another bug which could allow an attacker to steal the passwords of the users.
Oops, new LastPass bug that affects 4.1.42 (Chrome&FF). RCE if you use the "Binary Component", otherwise can steal pwds. Full report on way. pic.twitter.com/y92vm3Ibxd
— Tavis Ormandy (@taviso) March 20, 2017
We are aware of reports of a Firefox add-on vulnerability. Our security is investigating and working on issuing a fix.
— LastPass (@LastPass) March 22, 2017
According to the Google project zero experts, this vulnerability was even worst. The vulnerability allowed the hacker to steal user’s password for any domain and if the binary version of the extension is installed, the hacker could do more damage. The binary version can be exploited to run any code as commanded by the hacker (this was done via remote procedure call (RPC) commands).
The researcher Mr. Ormandy shared details of this flaw with the public including the proof of concept (POC) and explained that the vulnerability raised due to the websiteConnector.js content script. The script can be exploited by the hackers to send un-authenticated messages to the extension allowing the hacker to either steal the passwords or to execute arbitrary code.
In a blog post, Lauren VanDam of LastPass wrote that the fixes are being pushed to all users and most should be updated automatically. Moreover, VanDam stated that the company has no indication that any of the reported vulnerabilities were exploited in the wild.
“On the night of March 20th, we received a report of an issue in our Chrome 126.96.36.199 extension. We immediately investigated and released a server-side workaround within a few hours. The exploit applied to all LastPass clients – Chrome, Firefox, Edge – in which an experimental user onboarding feature was released.”
“Later on March 21st, another report came in related to Firefox 4.1.35a. In fact, this vulnerability is largely the same as the one reported the prior day, and affecting the 4.x Firefox addon. While this issue would have been addressed by our full fix to follow our workaround, this report was received before this could be released. We issued an update, Firefox 4.1.36a, around 12:15 am ET today to specifically address that report.”
Although using a password manager can save plenty of time, when the privacy is at risk, it’s better not to use it! Also, this is not the first time that LastPass was vulnerable to such attacks. Last year LastPass was in the spotlight for similar reasons as well, and if proper measures are not taken LastPass may lose its valuable audience.