Critical security flaws found in LastPass on Chrome, Firefox

Last year Google Project Zero researcher Tavis Ormandy quickly found some “obvious” security problems in the popular password manager LastPass, and now he’s done it again. Last week Ormandy mentioned finding an exploit in one version of its extension for Firefox, before following that up with a new bug that affected both Chrome and Firefox, and finally a third vulnerability that could allow “stealing passwords for any domain.”

The first vulnerability has apparently not been addressed yet, which Ormandy mentions may be the result of Mozilla needing time to review the updated extension before pushing it to users. Based on his tweet, it could reveal a user’s password, but not all of the details have been revealed yet.

The second issue could be more serious, with the ability to steal a user’s passwords or, if the binary version of the extension is installed, run any code the attacker tells it to (in an example, Ormandy causes the target’s computer to open a Calculator program.) According to LastPass the issue has been resolved, although a promised follow-up blog post with more details has yet to appear.

There’s even less info available about the latest vulnerability identified, although the version number (4.1.35) matches a LastPass changelog note for its most recent Internet Explorer add-on.

The pace of these discoveries and the lack of information from LastPass is certainly troubling, although using a password manager to maintain unique passwords can help protect you from being hacked. We’ve contacted the company and will update this post with any news, however, it may be wise to disable the affected browser extensions for now. If you’re suddenly looking for another service to store your important login information, Tavis (who makes a habit of poking holes in security products) suggested KeePass, a manager that doesn’t use browser extensions to keep a layer of security between websites and your vault.

Source: Tavis Ormandy (Twitter), LastPass (Twitter), LastPass Support Forum

Source: Engadget - Read the full article here

Author: Daily Tech Whip

This article is part of our 'News Tiles' service. The site is currently in Beta. When it is fully operational you will be able to search through and arrange the 'Tiles' to display a keyword, product or technology over your chosen time period. For example you would be able to display all of the leading tech articles on the new Kindle Fire, in one spot in real time. You will also have access to our own original reporting and analysis as well as a polished place to post your own thoughts & reviews here, amongst the Daily Tech Whip Community. Please let us know if you have any feedback via the contact form or via Twitter. Don't forget to come back next week and see our full site and claim your name and your own free tech blog.

Share This Post On