Zero-day flaw leaves LastPass vulnerable to attack [UPDATE: it's fixed]
A Google Project Zero hacker has discovered a zero-day vulnerability in the password manager LastPass that could lead to accounts being completely compromised.
The security flaw can be triggered by visiting a malicious website, and it has been confirmed to be an issue by white hat security researcher Tavis Ormandy. He has filed a full report to LastPass with a view to getting the vulnerability patched.
As the security hole is yet to be fixed, full details have not been publicly released. However, Ormandy has gone as far as saying that "it's a complete remote compromise" -- something which will no doubt concern LastPass users.
Posting on Twitter, Ormandy ridiculed LastPass:
Are people really using this lastpass thing? I took a quick look and can see a bunch of obvious critical problems. I'll send a report asap.
— Tavis Ormandy (@taviso) July 26, 2016
A former LastPass engineer joined in with the conversation saying: "I never touched [the binary]. Very neglected. There's a lot of stuff between message passing between extension and binary that is scary".
This is not the first time LastPass has been found to be less than secure. Another researcher discovered a way to access account data including usernames and passwords, but this has already been fixed.
LastPass has issued a statement on its blog indicating that the two problems have now been fixed. The company says:
Security is fundamental to what we do here at LastPass. Our first priority is always responding to and fixing reports as quickly as possible.
In follow-up to recent news, we want to address in more detail two security reports that have been disclosed to our team. One report was disclosed yesterday, while the other report was responsibly reported and fixed over a year ago. Notably, both exploits do require tricking a user via a phishing attack into going to a malicious website.
The first report was responsibly disclosed to our team over a year ago by security researcher Mathias Karlsson, and fixed at that time. Karlsson recently posted his findings on the URL parsing bug. All browser clients were updated and Karlsson confirmed our fix at that time, requiring no action from our users.
The second report was made yesterday by Google Security Team researcher Tavis Ormandy, who contacted our team to report a message-hijacking bug that affected the LastPass Firefox addon. First, an attacker would need to successfully lure a LastPass user to a malicious website. Once there, Ormandy demonstrated that the website could then execute LastPass actions in the background without the user’s knowledge, such as deleting items. As noted below, this issue has been fully addressed and an update with a fix was pushed for all Firefox users using LastPass 4.0.