Hacking

Google hacker found a third flaw in the LastPass password manager in a few weeks

The Google hacker Tavis Ormandy discovered a third flaw in LastPass password manager in a few weeks, the expert provided a few details about the issue.

A couple of weeks ago, the notorious Google Project Zero hacker Tavis Ormandy discovered numerous vulnerabilities in the Chrome and Firefox extensions of the LastPass password manager.

The company quickly started fixing the issue but the popular hackers announced the discovery of new bugs while completing its tests.

Now the development team is hardly working to solve a serious flaw that could be exploited by attackers to steal user passcodes by simply tricking victims into visiting a specifically crafted malicious website, the flaw also allows hackers in some cases to execute malicious code on computers running the program.

This is the third flaw discovered by Ormandy this month, the expert provided a few details about the issue across the weekend.

The expert announced to have developed a PoC exploit code that shared with the LastPass development team that have three months to patch the issue before Project Zero discloses technical details.

“It will take a long time to fix this properly,” Ormandy said. “It’s a major architectural problem. They have 90 days, no need to scramble!”

When people has the LastPass binary running, the vulnerability could be exploited to allow malicious sites to execute arbitrary code on the visitor’s machine.

The flaw could also be exploited in the absence of the LastPass binary in a way that lets malicious sites steal passwords from the protected LastPass vault.

The company confirmed that they are already working on a fix, as temporary mitigation they suggest users to enter stored passwords into websites using the LastPass vault as a launch pad for opening websites and to enter passwords and enable two-factor authentication on sites that offer it.

“Over the weekend, Google security researcher Tavis Ormandy reported a new client-side vulnerability in the LastPass browser extension. We are now actively addressing the vulnerability.  This attack is unique and highly sophisticated.” reads the security advisory published by Ormandy.

“In the meantime, we want to thank people like Tavis who help us raise the bar for online security with LastPass, and work with our teams to continue to make LastPass the most secure password manager on the market. And we want to offer our users with a few steps they can take to further protect themselves from these types of client-side issues.”

Below the suggestions published by LastPass.

  1. Use the LastPass Vault as a launch pad – Launch sites directly from the LastPass vault. This is the safest way to access your credentials and sites until this vulnerability is resolved.
  2. Two-Factor Authentication on any service that offers it – Whenever possible, turn on two-factor authentication with your accounts; many websites now offer this option for added security.
  3. Beware of Phishing Attacks – Always be vigilant to avoid phishing attempts. Do not click on links from people you don’t know, or that seem out of character from your trusted contacts and companies. Take a look at our phishing primer.

Stay tuned.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – password manager, hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco warns of password-spraying attacks targeting Secure Firewall devices

Cisco warns customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services…

2 hours ago

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

6 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

20 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

1 day ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

2 days ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

This website uses cookies.