• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • March 7th, 2021
  • Home
  • Advertise
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
Home
Security

Flaws in LastPass Password Manager Allowed Hackers to Steal Credentials

March 22nd, 2017 Uzair Amir Security 0 comments
Flaws in LastPass Password Manager Allowed Hackers to Steal Credentials
Share on FacebookShare on Twitter

Travis Ormandy, a researcher at Google project zero, found some critical security flaws in the famous password manager LastPass which could allow hackers to steal passwords.

At first, it was the LastPass version 3.3.2 which was reported to have the bug. Mr. Ormandy hasn’t made his finding public until now, and it looks like LastPass team is currently working on a patch. However, things didn’t end here. Soon after the Lastpass officials fix the threat, Mr. Ormandy found another bug in the password manager.

We are aware of the report by @taviso and our team has put a workaround in place while we work on a resolution. Stay tuned for updates.

— LastPass (@LastPass) March 21, 2017

More: LastPass hacked; security compromised for good

Mr. Ormandy pointed out that the version 4.1.42 of the LastPass (both Chrome and Firefox) contained another bug which could allow an attacker to steal the passwords of the users.

Oops, new LastPass bug that affects 4.1.42 (Chrome&FF). RCE if you use the "Binary Component", otherwise can steal pwds. Full report on way. pic.twitter.com/y92vm3Ibxd

— Tavis Ormandy (@taviso) March 20, 2017

We are aware of reports of a Firefox add-on vulnerability. Our security is investigating and working on issuing a fix.

— LastPass (@LastPass) March 22, 2017

According to the Google project zero experts, this vulnerability was even worst. The vulnerability allowed the hacker to steal user’s password for any domain and if the binary version of the extension is installed, the hacker could do more damage. The binary version can be exploited to run any code as commanded by the hacker (this was done via remote procedure call (RPC) commands).

The researcher Mr. Ormandy shared details of this flaw with the public including the proof of concept (POC) and explained that the vulnerability raised due to the websiteConnector.js content script. The script can be exploited by the hackers to send un-authenticated messages to the extension allowing the hacker to either steal the passwords or to execute arbitrary code.

More: Use LastPass checker to find sites vulnerable to ‘Heartbleed’

In a blog post, Lauren VanDam of LastPass wrote that the fixes are being pushed to all users and most should be updated automatically. Moreover, VanDam stated that the company has no indication that any of the reported vulnerabilities were exploited in the wild.

“On the night of March 20th, we received a report of an issue in our Chrome 4.1.42.80 extension. We immediately investigated and released a server-side workaround within a few hours. The exploit applied to all LastPass clients – Chrome, Firefox, Edge – in which an experimental user onboarding feature was released.”

“Later on March 21st, another report came in related to Firefox 4.1.35a. In fact, this vulnerability is largely the same as the one reported the prior day, and affecting the 4.x Firefox addon. While this issue would have been addressed by our full fix to follow our workaround, this report was received before this could be released. We issued an update, Firefox 4.1.36a, around 12:15 am ET today to specifically address that report.”

More: Leading Password Security Company LastPass Hacked

Although using a password manager can save plenty of time, when the privacy is at risk, it’s better not to use it! Also, this is not the first time that LastPass was vulnerable to such attacks. Last year LastPass was in the spotlight for similar reasons as well, and if proper measures are not taken LastPass may lose its valuable audience.

[fullsquaread][/fullsquaread]

  • Tags
  • Firefox
  • hacking
  • Lastpass
  • Password
  • Privacy
  • security
  • Vulnerability
Facebook Twitter LinkedIn Pinterest
Previous article You are not alone, ThePirateBay.org is down for everyone
Next article Twitter suspended 377,000 accounts for promoting terror and extremism
Uzair Amir

Uzair Amir

I am an Electronic Engineer, an Android Game Developer and a Tech writer. I am into music, snooker and my life motto is 'Do my best, so that I can't blame myself for anything.'

Related Posts
Microsoft, FireEye report 3 new malware linked to SolarWinds hackers

Microsoft, FireEye report 3 new malware linked to SolarWinds hackers

Threat actors hijacking Bitbucket and Docker Hub for Monero mining

Threat actors hijacking Bitbucket and Docker Hub for Monero mining

IT Security firm Qualys extorted by Clop gang after data breach

IT Security firm Qualys extorted by Clop gang after data breach

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

Latest Posts
U.S. DOJ warns of fake unemployment benefit websites stealing data
Cyber Crime

U.S. DOJ warns of fake unemployment benefit websites stealing data

Microsoft, FireEye report 3 new malware linked to SolarWinds hackers
Cyber Attacks

Microsoft, FireEye report 3 new malware linked to SolarWinds hackers

Threat actors hijacking Bitbucket and Docker Hub for Monero mining
Security

Threat actors hijacking Bitbucket and Docker Hub for Monero mining

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us