A researcher at Google project zero named Travis Ormandy has found some critical security flaws in the ever so popular password manager LastPass. This flaw could allow the hackers to steal passwords and credentials.
in the beginning, it was the LastPass version 3.3.2 which is reported to have this bug. Ormandy has not made any of these findings public until now, and it looks like the LastPass team is currently working on this for a patch. But, things didn’t end here. Soon after Lastpass officials fix the threat, Ormandy found another serious bug in the password manager.
Ormandy pointed out that the new version 4.1.42 of LastPass (both Firefox and Chrome ) has another bug which can allow a hacker to steal the passwords of the users.
According to Google project zero experts, this vulnerability is even worst. The latest vulnerability allows the hackers to steal user’s password for any domain and the hacker could do more damage if binary version of the extension is installed. The binary version can be exploited to run code as commanded by hacker.
The researcher Ormandy shared these details of the flaw with the public with the inclusion of the proof of concept (POC) and then explained that the vulnerability is raised due to the websiteConnector.js content script. The script can be exploited by attackers to send unauthenticated messages to the extension thus allowing the hacker to either execute arbitrary code or to steal the passwords.
In his blog post, Lauren VanDam from LastPass wrote that these fixes are being pushed to all the users and most of these should be updated automatically. Moreover, VanDam stated that the parent company has no indication that any of the reported vulnerabilities were exploited in the wild by anyone out there.