News

LastPass fixes serious password leak vulnerabilities

One of the flaws could have also allowed for malicious code execution on users' computers under certain conditions

Romania Correspondent, IDG News Service |

LastPass flaws put users' passwords at risk.
Credit: Pexels
More like this

Developers of the popular LastPass password manager rushed to push out a fix to solve a serious vulnerability that could have allowed attackers to steal users' passwords or execute malicious code on their computers.

The vulnerability was discovered by Google security researcher Tavis Ormandy and was reported to LastPass on Monday. It affected the browser extensions installed by the service's users for Google Chrome, Mozilla Firefox and Microsoft Edge.

According to a description in the Google Project Zero bug tracker, the vulnerability could have given attackers access to internal commands inside the LastPass extension. Those are the commands used by the extension to copy passwords or fill in web forms using information stored in the user's secure vault.

If the extension's binary component is installed, the "openattach" command can be used to run arbitrary code on the computer, Ormandy said on the bug tracker.

The LastPass developers deployed a workaround on their server to prevent exploitation and plan to include a full fix in new versions.

On Tuesday Ormandy reported another vulnerability in the Firefox extension that, according to the LastPass developers, was related to the first one. That vulnerability was fixed in a new version of the Firefox extension, 4.1.36a, that was released Wednesday.

"We have no indication that any of the reported vulnerabilities were exploited in the wild, but we’re doing a thorough review at this time to confirm," the LastPass developers said in a blog post. "No password changes are required of users at this time."

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Related:

Lucian Constantin is an IDG News Service correspondent. He writes about information security, privacy, and data protection.

How much is a data breach going to cost you?
You Might Like
Most Popular
wemo smart plug
40% off WeMo Wi-Fi Smart Plug, Works with Amazon Alexa - Deal Alert

Plug in a Wemo Switch, download the free app, and start controlling your lights and appliances from...

thermopro tp03a
67% off ThermoPro TP03A Digital Food Cooking Thermometer Instant Read Meat

The ThermoPro TP03A is an effective solution to achieve the most accurate temperature in a matter of...

etekcity 4 pack latnern
75% off Etekcity 4 Pack Portable Outdoor LED Camping Lantern with 12 AA

Whether used for camping, trick or treating, or power outages, this lantern will provide up to 12 hours...

BrandPosts
Learn more
Popular Resources
Featured Stories
1 intro insider threat
How to stop insider threats

There are a number of things that decision makers can do to protect their companies and minimize, if...

White House (public domain)
Experts: US needs a federal CISO

Last week, the Trump administration announced the appointment of a White House cybersecurity...

1 intro insider threat
How to stop insider threats

There are a number of things that decision makers can do to protect their companies and minimize, if...

burlap money bag
Enterprises misaligning security budget, priorities

Those on staff who are doing the budgeting might blindly write the same amount into the security line...