Technology, both in terms of hardware and software, is there to make our lives better, but it is by no means perfect. Bugs can either be a potential annoyance or expose you to some more serious side effects of their presence.
On March 20, Tavis Ormandy, a researcher at Google's Project Zero, uncovered two RCE (Remote Code Execution) vulnerabilities that affected LastPass' browser extensions.
Following this announcement, the firm acknowledged the vulnerability on Twitter, stating they were aware of what had been reported, and that the team "has put a workaround in place while we work on a resolution". As of 2:49 PM Eastern time US on March 22, extensions for Firefox and Chrome had been released containing the fix, with Opera and Edge add-ons still pending approval. LastPass released a full report on its blog. That, however, was not all.
On March 25, Tavis discovered yet another vulnerability, affecting version 4.1.43, the latest for Google Chrome.
In response to this, the password manager-maker amended its original article detailing March 20's vulnerability by stating:
Update March 25, 2017 (5:00pm): Our team is currently investigating a new report by Tavis Ormandy and will update our community when we have more details. Thank you.
To expand on the issue, LastPass also put up a post today, in which they made it clear that a fix is being worked on. The client side vulnerability discovered over the weekend allows for an attack that is "unique and highly sophisticated". As such, the firm declined to disclose anything specific about either the vulnerability or the patch, until everything is said and done. The reasoning given is that doing so could "reveal anything to less sophisticated but nefarious parties", which is of course not the intention.
As a precaution, until everything is sorted, LastPass recommends you launch sites directly from the vault (to protect your sign-in credentials), use two-factor authentication on every service that offers it, and to stay vigilant to avoid phishing attempts.
Source: LastPass Blog, Tavis Ormandy on Twitter 1, 2
Update: LastPass has updated its initial post on the matter with a detailed incident report. An overview of the process has also been provided by the firm:
- This was a client-side vulnerability in the LastPass browser extensions and could be exploited to steal data and manipulate the LastPass extension
- Exploiting required luring a user to a malicious website (through phishing, spearphishing, or other attack), or to a trusted website running malicious adware
- This requires a per-user attack that must be executed through the user’s local browser
As of this writing, all browser extensions have been patched. This vulnerability did not affect LastPass' iOS and Android apps. The firm recommends you run version 4.1.44 or higher of the extension, with most users being updated automatically.
6 Comments - Add comment