A couple of weeks ago, the notorious Google Project Zero hacker Tavis Ormandy discovered numerous vulnerabilities in the Chrome and Firefox extensions of the LastPass password manager.
— Tavis Ormandy (@taviso) March 16, 2017
The company quickly started fixing the issue but the popular hackers announced the discovery of new bugs while completing its tests.
Now the development team is hardly working to solve a serious flaw that could be exploited by attackers to steal user passcodes by simply tricking victims into visiting a specifically crafted malicious website, the flaw also allows hackers in some cases to execute malicious code on computers running the program.
This is the third flaw discovered by Ormandy this month, the expert provided a few details about the issue across the weekend.
The expert announced to have developed a PoC exploit code that shared with the LastPass development team that have three months to patch the issue before Project Zero discloses technical details.
“It will take a long time to fix this properly,” Ormandy said. “It’s a major architectural problem. They have 90 days, no need to scramble!”
Ah-ha, I had an epiphany in the shower this morning and realized how to get codeexec in LastPass 4.1.43. Full report and exploit on the way. pic.twitter.com/vQn20D9VCy
— Tavis Ormandy (@taviso) March 25, 2017
When people has the LastPass binary running, the vulnerability could be exploited to allow malicious sites to execute arbitrary code on the visitor’s machine.
The flaw could also be exploited in the absence of the LastPass binary in a way that lets malicious sites steal passwords from the protected LastPass vault.
The company confirmed that they are already working on a fix, as temporary mitigation they suggest users to enter stored passwords into websites using the LastPass vault as a launch pad for opening websites and to enter passwords and enable two-factor authentication on sites that offer it.
“Over the weekend, Google security researcher Tavis Ormandy reported a new client-side vulnerability in the LastPass browser extension. We are now actively addressing the vulnerability. This attack is unique and highly sophisticated.” reads the security advisory published by Ormandy.
“In the meantime, we want to thank people like Tavis who help us raise the bar for online security with LastPass, and work with our teams to continue to make LastPass the most secure password manager on the market. And we want to offer our users with a few steps they can take to further protect themselves from these types of client-side issues.”
Below the suggestions published by LastPass.
(Security Affairs – password manager, hacking)