Vulnerabilities in LastPass allowed attackers to steal passwords

The notorious Google Project Zero hacker Tavis Ormandy discovered numerous vulnerabilities in the Chrome and Firefox extensions of the LastPass password manager.

The Security expert at Google Project Zero Tavis Ormandy discovered several vulnerabilities in Chrome and Firefox extensions of the LastPass password manager that can be exploited to steal passwords.

The expert also wrote PoC exploit for the flaw and highlighted that only one of them appears to have been patched by LastPass.

Ormandy first discovered a flaw in the Firefox version of the LastPass extension (version 3.3.2), he avoided to publicly disclose the details for obvious reasons. According to the Google disclosure policy, LastPass has 90 days to solve the issue before Project Zero experts will disclose the details.

LastPass confirmed that the security team is already working to fix the bug.

Yesterday, Ormandy reported another flaw that affected both the Chrome and Firefox versions of LastPass. The researcher explained that the vulnerability allowed attackers to steal a user’s passwords and, if the binary component was enabled, execute arbitrary code via remote procedure call (RPC) commands.

In order to exploit the flaw, the attacker has to trick victims into visiting a specially crafted web page.

In this case, LastPass promptly issued a temporary fix and immediately after announced it has fully patched the vulnerability on the server side.

Ormandy publicly disclosed the details of the flaw including a proof-of-concept (PoC) code. The flaw existed due to the websiteConnector.js content script proxying unauthenticated messages to the extension. An attacker can exploit it to gain access to internal LastPass RPC commands.

“Therefore, this allows complete access to internal privileged LastPass RPC commands. There are hundreds of internal LastPass RPCs, but the obviously bad ones are things copying and filling in passwords (copypass, fillform, etc).” wrote the expert. “If you install the binary component (https://lastpass.com/support.php?cmd=showfaq&id=5576), you can also use “openattach” to run arbitrary code.”

Ormandy also spotted another vulnerability that can be exploited to steal passwords for any domain.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – LastPass, hacking)