LastPass, the well-known and widely-used password manager has two new weak points, as it is discovered by Google researchers. Apparently, it’s been discovered that its browser extension could potentially put user credentials at risk.
One of the researchers working for Google, Tavis Ormandy, discovered earlier this week a critical flaw in LastPass.
Ormandy, one of Google Project Zero’s researchers, explained that the existing flaw could allow malicious websites to infect LastPass browser extension, and thus allow hackers access and control to some internal commands.
Ormandy stated that the binary component of LastPass has to be installed in order for the exploit of this bug to be successful. He then demonstrated the flaw by using calc.exe, and explained how accessing internal privileged Remote Procedure Calls (RPCs) could be done.
LastPass responded to this by admitting awareness of the report and stating that their security team is working on resolving the situation. They later added that the issue has been dealt with.
We are aware of reports of a Firefox add-on vulnerability. Our security is investigating and working on issuing a fix.
— LastPass (@LastPass) March 22, 2017
Another bug that is still waiting to be fixed was reported on 15 March in Mozilla Firefox (3.3.2). LastPass and Ormandy both confirmed that the problem was real and that the security teams are investigating the bug and working on its solution.
Joe Siegrist, co-founder of LastPass stated that Ormandy’s work was greatly appreciated. He then recommended that the users should keep their software updated to the latest versions.
However, this was not the end of the LastPass’s bug problem. Ormandy once again managed to find a bug in LastPass, this time in version 4.1.35.
Ormandy has been known to find this sort of bugs and similar vulnerabilities, for some time, now. In July last year, he discovered yet another vulnerability that could allow hackers to access user accounts. He had also previously uncovered flaws in well-known anti-virus vendors, including Kaspersky Lab, Sophos and Trend Micro.
This sort of trouble isn’t new in LastPass, either. Back in 2015, a group of hackers managed to steal sensitive user data from the password manager. Even though they’ve managed to get away with some of the data including password reminders and email addresses, LastPass said that no master passwords were compromised at the time.
LastPass users weren’t happy to hear about yet another flaw connected to the password manager. Even so, Malware expert Jake Williams told them that even with all the flaws that were discovered and exposed, their “Odds of being pwned by a LastPass issue are far lower than if your password is disclosed from one site and reused on another.”