According to Ormandy, this isn't as hard as it sounds, as an attacker could easily disguise a malicious link behind a Google Translate URL, trick users into visiting the link, and then extract credentials from a previously visited site. Since the bug relies on executing malicious JavaScript code alone, with no other user interaction, the bug is considered dangerous and potentially exploitable.Īttackers could lure users on malicious pages and exploit the vulnerability to extract the credentials users had entered on previously-visited sites. The security researcher's bug report walks an attacker through the steps necessary to reproduce the bug. This is because yesterday, Ormandy published details about the security flaw he found.
If users have not enabled an auto-update mechanism for their LastPass browser extensions, they're advised to perform a manual update as soon as possible. In a blog post, the company said the bug only impacts its Chrome and Opera browser extensions. LastPass, believed to be the most popular password manager app today, fixed the reported issue in version 4.33.0, released last week, on September 12. The bug was discovered last month by Tavis Ormandy, a security researcher with Project Zero, Google's elite security and bug-hunting team.
This vulnerability did not affect LastPass' iOS and Android apps.
This requires a per-user attack that must be executed through the user’s local browserĪs of this writing, all browser extensions have been patched.Exploiting required luring a user to a malicious website (through phishing, spearphishing, or other attack), or to a trusted website running malicious adware.This was a client-side vulnerability in the LastPass browser extensions and could be exploited to steal data and manipulate the LastPass extension.An overview of the process has also been provided by the firm: Update: LastPass has updated its initial post on the matter with a detailed incident report. Source: LastPass Blog, Tavis Ormandy on Twitter 1, 2 The reasoning given is that doing so could "reveal anything to less sophisticated but nefarious parties", which is of course not the intention.Īs a precaution, until everything is sorted, LastPass recommends you launch sites directly from the vault (to protect your sign-in credentials), use two-factor authentication on every service that offers it, and to stay vigilant to avoid phishing attempts. As such, the firm declined to disclose anything specific about either the vulnerability or the patch, until everything is said and done. The client side vulnerability discovered over the weekend allows for an attack that is "unique and highly sophisticated". To expand on the issue, LastPass also put up a post today, in which they made it clear that a fix is being worked on. Update Ma(5:00pm): Our team is currently investigating a new report by Tavis Ormandy and will update our community when we have more details. In response to this, the password manager-maker amended its original article detailing March 20's vulnerability by stating:
Ah-ha, I had an epiphany in the shower this morning and realized how to get codeexec in LastPass 4.1.43.