LastPass fixes serious password leak vulnerabilities

One of the flaws could have also allowed for malicious code execution on users' computers under certain conditions

Romania Correspondent, IDG News Service |

LastPass flaws put users' passwords at risk.
Credit: Pexels
More like this

Developers of the popular LastPass password manager rushed to push out a fix to solve a serious vulnerability that could have allowed attackers to steal users' passwords or execute malicious code on their computers.

The vulnerability was discovered by Google security researcher Tavis Ormandy and was reported to LastPass on Monday. It affected the browser extensions installed by the service's users for Google Chrome, Mozilla Firefox and Microsoft Edge.

According to a description in the Google Project Zero bug tracker, the vulnerability could have given attackers access to internal commands inside the LastPass extension. Those are the commands used by the extension to copy passwords or fill in web forms using information stored in the user's secure vault.

If the extension's binary component is installed, the "openattach" command can be used to run arbitrary code on the computer, Ormandy said on the bug tracker.

The LastPass developers deployed a workaround on their server to prevent exploitation and plan to include a full fix in new versions.

On Tuesday Ormandy reported another vulnerability in the Firefox extension that, according to the LastPass developers, was related to the first one. That vulnerability was fixed in a new version of the Firefox extension, 4.1.36a, that was released Wednesday.

"We have no indication that any of the reported vulnerabilities were exploited in the wild, but we’re doing a thorough review at this time to confirm," the LastPass developers said in a blog post. "No password changes are required of users at this time."

Related:

Lucian Constantin is an IDG News Service correspondent. He writes about information security, privacy, and data protection.

You Might Like
Most Read
frustrated
Windows 10 install problems — and how to solve them

Having trouble installing and setting up Win10? You aren’t alone. Here are many of the most common...

How to speed up Windows 7 Update scans -- forever
How to speed up Windows 7 Update scans—forever

Win7 Update scans got you fuming? Here’s how to make the most of Microsoft’s 'magic' speed-up patch

Best Android Phone hub primary image
Best Android phones: What should you buy?

Picking an Android phone can be difficult, but we're here to help. These are the top Android phones you...

Resources
Top Stories
gear shift stick shift car automobile 5-speed
Review: SaltStack shifts devops into gear

SaltStack Enterprise 5.0 draws on high-speed messaging for superior scalability and control, but the...

android o
First look: Android O developer preview

With a scattershot set of improvements, the new Android version is a fairly minor affair, but there’s...

If IFTTT can’t, then Microsoft Flow can

Miss Yahoo Pipes? Microsoft's low-code tool for application mashups does a better job in meeting...

thumbs up multicultural
Rust, React, JavaScript, Python top language survey

The programming community's survey also finds that many developers are newcomers to the field