Google Project Zero researcher Tavis Ormandy has identified yet another serious vulnerability in the LastPass browser extension. The developers of the password manager are aware of the flaw and are working on a patch.
Since the vulnerability has not been fixed, only few details have been made public by Ormandy and LastPass. The researcher said the security hole affects the latest version of the app, and the exploit he developed should work on all web browsers.
Similar to a previously found weakness, this vulnerability can be exploited to steal a user’s passwords and, if the LastPass binary component is enabled, execute arbitrary code.
“This attack is unique and highly sophisticated,” LastPass said in a blog post. “We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post mortem once this work is complete.”
Since these vulnerabilities can typically be exploited by getting the targeted user to access a specially crafted web page, LastPass has advised customers to protect themselves against potential attacks by using the LastPass Vault to access websites in order to ensure that the site they visit is legitimate. Users have also been advised to enable two-factor authentication when possible and beware of phishing attempts.
In recent weeks, Ormandy has identified several serious LastPass vulnerabilities that can be exploited to steal user passwords or execute arbitrary code. LastPass has released patches within days after learning of their existence. The fixes are pushed out automatically and users don’t have to take any action.
There is no evidence of exploitation in the wild and LastPass told users that there is no need to change any passwords.
One of the vulnerabilities found by the Google researcher affected the 3.3.2 version of the Firefox extension. LastPass addressed the vulnerability, but the company pointed out that it plans to retire this branch in the near future.
Related: Popular Android Password Managers Expose Credentials
Related: LastPass Attack Could Result in Full Account Compromise
Related: LastPass Rushes to Patch Flaw That Exposed User Passwords
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Zyxel Firewalls Hacked by Mirai Botnet
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
- Drop in Insider Breaches Drives Decline in Intrusions at OT Organizations
- Zero-Day Vulnerability Exploited to Hack Barracuda Email Security Gateway Appliances
- OAuth Vulnerabilities in Widely Used Expo Framework Allowed Account Takeovers
- New Honeywell OT Cybersecurity Solution Helps Identify Vulnerabilities, Threats
- Rheinmetall Says Military Business Not Impacted by Ransomware Attack
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
