Bugs Allow Hackers To Steal Your Passwords Discovered In Lastpass

LastPass, the well-known and widely-used password manager has two new weak points, as it is discovered by Google researchers. Apparently, it’s been discovered that its browser extension could potentially put user credentials at risk.

One of the researchers working for Google, Tavis Ormandy, discovered earlier this week a critical flaw in LastPass.

Ormandy, one of Google Project Zero’s researchers, explained that the existing flaw could allow malicious websites to infect LastPass browser extension, and thus allow hackers access and control to some internal commands.

Ormandy stated that the binary component of LastPass has to be installed in order for the exploit of this bug to be successful. He then demonstrated the flaw by using calc.exe, and explained how accessing internal privileged Remote Procedure Calls (RPCs) could be done.

LastPass responded to this by admitting awareness of the report and stating that their security team is working on resolving the situation. They later added that the issue has been dealt with.

Another bug that is still waiting to be fixed was reported on 15 March in Mozilla Firefox (3.3.2). LastPass and Ormandy both confirmed that the problem was real and that the security teams are investigating the bug and working on its solution.

Joe Siegrist, co-founder of LastPass stated that Ormandy’s work was greatly appreciated. He then recommended that the users should keep their software updated to the latest versions.

However, this was not the end of the LastPass’s bug problem. Ormandy once again managed to find a bug in LastPass, this time in version 4.1.35.

Ormandy has been known to find this sort of bugs and similar vulnerabilities, for some time, now. In July last year, he discovered yet another vulnerability that could allow hackers to access user accounts. He had also previously uncovered flaws in well-known anti-virus vendors, including Kaspersky Lab, Sophos and Trend Micro.

This sort of trouble isn’t new in LastPass, either. Back in 2015, a group of hackers managed to steal sensitive user data from the password manager. Even though they’ve managed to get away with some of the data including password reminders and email addresses, LastPass said that no master passwords were compromised at the time.

LastPass users weren’t happy to hear about yet another flaw connected to the password manager. Even so, Malware expert Jake Williams told them that even with all the flaws that were discovered and exposed, their “Odds of being pwned by a LastPass issue are far lower than if your password is disclosed from one site and reused on another.”

Ali Raza
Ali Raza
Ali Raza is a freelance journalist with extensive experience in marketing and management. He holds a master degree and actively writes about crybersecurity, cryptocurrencies, and technology in general. Raza is the co-founder of SpyAdvice.com, too, a site dedicated to educating people on online privacy and spying.

More from author

Notify of
Inline Feedbacks
View all comments

Related posts


Latest posts

7 Best Work from Home Apps for Moms

Being a mom is a job in itself. Between taking care of the kids, keeping up with household chores, and trying to squeeze in...

Top 9 Ways Technology is Helping Global Trade

If you are in a global business, utilizing technology is a surefire way of growing your business and increasing your customer base. Today, you...

7 Ways Technology Is Going To Transform Lead Generation

 In the ever-growing world of digital marketing, the ability to generate quality leads remains the most important ROI driver. Both inbound and outbound lead...