A researcher at Google project zero named Travis Ormandy has found some critical security flaws in the ever so popular password manager LastPass. This flaw could allow the hackers to steal passwords and credentials.
in the beginning, it was the LastPass version 3.3.2 which is reported to have this bug. Ormandy has not made any of these findings public until now, and it looks like the LastPass team is currently working on this for a patch. But, things didn’t end here. Soon after Lastpass officials fix the threat, Ormandy found another serious bug in the password manager.
We are aware of the report by @taviso and our team has put a workaround in place while we work on a resolution. Stay tuned for updates.
— LastPass (@LastPass) March 21, 2017
Ormandy pointed out that the new version 4.1.42 of LastPass (both Firefox and Chrome ) has another bug which can allow a hacker to steal the passwords of the users.
Oops, new LastPass bug that affects 4.1.42 (Chrome&FF). RCE if you use the "Binary Component", otherwise can steal pwds. Full report on way. pic.twitter.com/y92vm3Ibxd
— Tavis Ormandy (@taviso) March 20, 2017
We are aware of reports of a Firefox add-on vulnerability. Our security is investigating and working on issuing a fix.
— LastPass (@LastPass) March 22, 2017
According to Google project zero experts, this vulnerability is even worst. The latest vulnerability allows the hackers to steal user’s password for any domain and the hacker could do more damage if binary version of the extension is installed. The binary version can be exploited to run code as commanded by hacker.
The researcher Ormandy shared these details of the flaw with the public with the inclusion of the proof of concept (POC) and then explained that the vulnerability is raised due to the websiteConnector.js content script. The script can be exploited by attackers to send unauthenticated messages to the extension thus allowing the hacker to either execute arbitrary code or to steal the passwords.
In his blog post, Lauren VanDam from LastPass wrote that these fixes are being pushed to all the users and most of these should be updated automatically. Moreover, VanDam stated that the parent company has no indication that any of the reported vulnerabilities were exploited in the wild by anyone out there.