Critical LastPass Security Flaws Could Have Allowed Hackers to Steal User Passwords
Reports earlier this year had revealed how password managers can easily leak user data. A fresh report from Google researcher Tavis Ormandy further confirms that like any other software, password management tools are also vulnerable to flaws and security attacks. Ormandy disclosed a critical vulnerability in LastPass that could have allowed attackers to steal user passwords.
LastPass could have been leaking your passwords
Ormandy reported the vulnerability on Monday that affected Chrome and Firefox extensions of the popular password management tool. He warned that these add-ons could be used to steal user passwords. Later on, he said that he had identified another vulnerability that can be exploited to steal passwords for any domain.
Security researchers explained that the extension coding flaws allowed anyone to “proxy” unauthenticated messages to a LastPass browser extension. An attacker could gain access to privileged LastPass commands, including the ability to copy passwords.
In a blog post published today, LastPass explained that the issue was related to an experimental feature. While Ormandy has disclosed over three vulnerabilities, LastPass said they are “largely the same”. The company has now patched the flaws and added that updates would be automatically installed for all users.
On the night of March 20th, we received a report of an issue in our Chrome 184.108.40.206 extension. We immediately investigated and released a server-side workaround within a few hours. The exploit applied to all LastPass clients – Chrome, Firefox, Edge – in which an experimental user onboarding feature was released.
Following this, Ormandy reported that the bug also affects Firefox. “This vulnerability is largely the same as the one reported the prior day, and affecting the 4.x Firefox addon,” LastPass said.
We are aware of reports of a Firefox add-on vulnerability. Our security is investigating and working on issuing a fix.
— LastPass (@LastPass) March 22, 2017
The company has now also issued a fix with an update sent earlier today to address the Firefox issue.
LastPass said that their investigation has not indicated if any sensitive user data was lost or compromised. Hence, no master password change or a site credential password change is required, the company added.
“We have no indication that any of the reported vulnerabilities were exploited in the wild, but we’re doing a thorough review at this time to confirm,” the company wrote. “We will soon provide a more comprehensive summary of the events and what our community needs to know.”