The Security expert at Google Project Zero Tavis Ormandy discovered several vulnerabilities in Chrome and Firefox extensions of the LastPass password manager that can be exploited to steal passwords.
The expert also wrote PoC exploit for the flaw and highlighted that only one of them appears to have been patched by LastPass.
Ormandy first discovered a flaw in the Firefox version of the LastPass extension (version 3.3.2), he avoided to publicly disclose the details for obvious reasons. According to the Google disclosure policy, LastPass has 90 days to solve the issue before Project Zero experts will disclose the details.
Wrote a quick exploit for another LastPass vulnerability. Only affects version on https://t.co/lGcefN9YXM (3.3.2), report on way. ¯_(ツ)_/¯ pic.twitter.com/AgjASiQMfJ
— Tavis Ormandy (@taviso) March 16, 2017
LastPass confirmed that the security team is already working to fix the bug.
We are aware of reports of a Firefox add-on vulnerability. Our security is investigating and working on issuing a fix.
— LastPass (@LastPass) March 22, 2017
Yesterday, Ormandy reported another flaw that affected both the Chrome and Firefox versions of LastPass. The researcher explained that the vulnerability allowed attackers to steal a user’s passwords and, if the binary component was enabled, execute arbitrary code via remote procedure call (RPC) commands.
In order to exploit the flaw, the attacker has to trick victims into visiting a specially crafted web page.
In this case, LastPass promptly issued a temporary fix and immediately after announced it has fully patched the vulnerability on the server side.
The issue reported by Tavis Ormandy has been resolved. We will provide additional details on our blog soon.
— LastPass (@LastPass) March 21, 2017
Ormandy publicly disclosed the details of the flaw including a proof-of-concept (PoC) code. The flaw existed due to the websiteConnector.js content script proxying unauthenticated messages to the extension. An attacker can exploit it to gain access to internal LastPass RPC commands.
“Therefore, this allows complete access to internal privileged LastPass RPC commands. There are hundreds of internal LastPass RPCs, but the obviously bad ones are things copying and filling in passwords (copypass, fillform, etc).” wrote the expert. “If you install the binary component (https://lastpass.com/support.php?cmd=showfaq&id=5576), you can also use “openattach” to run arbitrary code.”
Ormandy also spotted another vulnerability that can be exploited to steal passwords for any domain.
I found another bug in LastPass 4.1.35 (unpatched), allows stealing passwords for any domain. Full report will be on the way shortly. pic.twitter.com/9VkV7R3vud
— Tavis Ormandy (@taviso) March 21, 2017
(Security Affairs – LastPass, hacking)