Flaws in LastPass Password Manager Allowed Hackers to Steal Credentials

Travis Ormandy, a researcher at Google project zero, found some critical security flaws in the famous password manager LastPass which could allow hackers to steal passwords.

At first, it was the LastPass version 3.3.2 which was reported to have the bug. Mr. Ormandy hasn’t made his finding public until now, and it looks like LastPass team is currently working on a patch. However, things didn’t end here. Soon after the Lastpass officials fix the threat, Mr. Ormandy found another bug in the password manager.

More: LastPass hacked; security compromised for good

Mr. Ormandy pointed out that the version 4.1.42 of the LastPass (both Chrome and Firefox) contained another bug which could allow an attacker to steal the passwords of the users.

According to the Google project zero experts, this vulnerability was even worst. The vulnerability allowed the hacker to steal user’s password for any domain and if the binary version of the extension is installed, the hacker could do more damage. The binary version can be exploited to run any code as commanded by the hacker (this was done via remote procedure call (RPC) commands).

The researcher Mr. Ormandy shared details of this flaw with the public including the proof of concept (POC) and explained that the vulnerability raised due to the websiteConnector.js content script. The script can be exploited by the hackers to send un-authenticated messages to the extension allowing the hacker to either steal the passwords or to execute arbitrary code.

More: Use LastPass checker to find sites vulnerable to ‘Heartbleed’

In a blog post, Lauren VanDam of LastPass wrote that the fixes are being pushed to all users and most should be updated automatically. Moreover, VanDam stated that the company has no indication that any of the reported vulnerabilities were exploited in the wild.

“On the night of March 20th, we received a report of an issue in our Chrome 4.1.42.80 extension. We immediately investigated and released a server-side workaround within a few hours. The exploit applied to all LastPass clients – Chrome, Firefox, Edge – in which an experimental user onboarding feature was released.”

“Later on March 21st, another report came in related to Firefox 4.1.35a. In fact, this vulnerability is largely the same as the one reported the prior day, and affecting the 4.x Firefox addon. While this issue would have been addressed by our full fix to follow our workaround, this report was received before this could be released. We issued an update, Firefox 4.1.36a, around 12:15 am ET today to specifically address that report.”

More: Leading Password Security Company LastPass Hacked

Although using a password manager can save plenty of time, when the privacy is at risk, it’s better not to use it! Also, this is not the first time that LastPass was vulnerable to such attacks. Last year LastPass was in the spotlight for similar reasons as well, and if proper measures are not taken LastPass may lose its valuable audience.

Uzair Amir

I am an Electronic Engineer, an Android Game Developer and a Tech writer. I am into music, snooker and my life motto is ‘Do my best, so that I can’t blame myself for anything.’