LastPass working on security update for newly discovered browser extension vulnerability [Update]

Technology, both in terms of hardware and software, is there to make our lives better, but it is by no means perfect. Bugs can either be a potential annoyance or expose you to some more serious side effects of their presence.

On March 20, Tavis Ormandy, a researcher at Google"s Project Zero, uncovered two RCE (Remote Code Execution) vulnerabilities that affected LastPass" browser extensions.

Oops, new LastPass bug that affects 4.1.42 (Chrome&FF). RCE if you use the "Binary Component", otherwise can steal pwds. Full report on way. pic.twitter.com/y92vm3Ibxd

— Tavis Ormandy (@taviso) March 20, 2017

Following this announcement, the firm acknowledged the vulnerability on Twitter, stating they were aware of what had been reported, and that the team "has put a workaround in place while we work on a resolution". As of 2:49 PM Eastern time US on March 22, extensions for Firefox and Chrome had been released containing the fix, with Opera and Edge add-ons still pending approval. LastPass released a full report on its blog. That, however, was not all.

On March 25, Tavis discovered yet another vulnerability, affecting version 4.1.43, the latest for Google Chrome.

Ah-ha, I had an epiphany in the shower this morning and realized how to get codeexec in LastPass 4.1.43. Full report and exploit on the way. pic.twitter.com/vQn20D9VCy

— Tavis Ormandy (@taviso) March 25, 2017

In response to this, the password manager-maker amended its original article detailing March 20"s vulnerability by stating:

Update March 25, 2017 (5:00pm): Our team is currently investigating a new report by Tavis Ormandy and will update our community when we have more details. Thank you.

To expand on the issue, LastPass also put up a post today, in which they made it clear that a fix is being worked on. The client side vulnerability discovered over the weekend allows for an attack that is "unique and highly sophisticated". As such, the firm declined to disclose anything specific about either the vulnerability or the patch, until everything is said and done. The reasoning given is that doing so could "reveal anything to less sophisticated but nefarious parties", which is of course not the intention.

As a precaution, until everything is sorted, LastPass recommends you launch sites directly from the vault (to protect your sign-in credentials), use two-factor authentication on every service that offers it, and to stay vigilant to avoid phishing attempts.

Source: LastPass Blog, Tavis Ormandy on Twitter 1, 2

Update: LastPass has updated its initial post on the matter with a detailed incident report. An overview of the process has also been provided by the firm:

  • This was a client-side vulnerability in the LastPass browser extensions and could be exploited to steal data and manipulate the LastPass extension
  • Exploiting required luring a user to a malicious website (through phishing, spearphishing, or other attack), or to a trusted website running malicious adware
  • This requires a per-user attack that must be executed through the user’s local browser

As of this writing, all browser extensions have been patched. This vulnerability did not affect LastPass" iOS and Android apps. The firm recommends you run version 4.1.44 or higher of the extension, with most users being updated automatically.

Report a problem with article
Next Article

Google loses over 250 YouTube advertisers due to misplaced ads on extremist videos

Previous Article

Android co-founder Andy Rubin teases his new device from Essential