The Security expert at Google Project Zero Tavis Ormandy discovered several vulnerabilities in Chrome and Firefox extensions of the LastPass password manager that can be exploited to steal passwords.
The expert also wrote PoC exploit for the flaw and highlighted that only one of them appears to have been patched by LastPass.
Ormandy first discovered a flaw in the Firefox version of the LastPass extension (version 3.3.2), he avoided to publicly disclose the details for obvious reasons. According to the Google disclosure policy, LastPass has 90 days to solve the issue before Project Zero experts will disclose the details.
LastPass confirmed that the security team is already working to fix the bug.
Yesterday, Ormandy reported another flaw that affected both the Chrome and Firefox versions of LastPass. The researcher explained that the vulnerability allowed attackers to steal a user’s passwords and, if the binary component was enabled, execute arbitrary code via remote procedure call (RPC) commands.
In order to exploit the flaw, the attacker has to trick victims into visiting a specially crafted web page.
In this case, LastPass promptly issued a temporary fix and immediately after announced it has fully patched the vulnerability on the server side.
Ormandy publicly disclosed the details of the flaw including a proof-of-concept (PoC) code. The flaw existed due to the websiteConnector.js content script proxying unauthenticated messages to the extension. An attacker can exploit it to gain access to internal LastPass RPC commands.
“Therefore, this allows complete access to internal privileged LastPass RPC commands. There are hundreds of internal LastPass RPCs, but the obviously bad ones are things copying and filling in passwords (copypass, fillform, etc).” wrote the expert. “If you install the binary component (https://lastpass.com/support.php?cmd=showfaq&id=5576), you can also use “openattach” to run arbitrary code.”
Ormandy also spotted another vulnerability that can be exploited to steal passwords for any domain.
[adrotate banner=”9″]
(Security Affairs – LastPass, hacking)
Nation-state actor UAT4356 has been exploiting two zero-days in ASA and FTD firewalls since November…
A malware campaign has been exploiting the updating mechanism of the eScan antivirus to distribute…
The Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned four Iranian nationals for their…
A cyber attack on Leicester City Council resulted in certain street lights remaining illuminated all…
The National Police Agency in South Korea warns that North Korea-linked threat actors are targeting…
The U.S. Department of State imposed visa restrictions on 13 individuals allegedly linked to the…
This website uses cookies.