Critical vulnerabilities found in the Chrome and Firefox extensions of the LastPass password manager can be exploited to steal passwords, warned Google Project Zero researcher Tavis Ormandy.
The expert has discovered several flaws, but only one of them appears to have been patched by LastPass developers.
Ormandy first reported finding a vulnerability in the Firefox version of the LastPass extension (version 3.3.2). The details of the security hole have not been made public. LastPass, which has 90 days to release a fix before details are disclosed by Project Zero, says it’s aware of the flaw and its security team is working on a patch.
We are aware of reports of a Firefox add-on vulnerability. Our security is investigating and working on issuing a fix.
— LastPass (@LastPass) March 22, 2017
On Tuesday, the Project Zero researcher reported finding another vulnerability that affected both the Chrome and Firefox versions of LastPass. The weakness allowed a hacker to steal a user’s passwords and, if the binary component was enabled, execute arbitrary code via remote procedure call (RPC) commands. The attack could have been carried out by getting the targeted user to access a specially crafted web page.
LastPass implemented a temporary mitigation within hours after learning of the flaw’s existence, and claimed to have fully patched the issue on the server side soon after. Users are not required to take any action.
Ormandy has made public the details of this vulnerability, including proof-of-concept (PoC) code, and LastPass has promised to publish a blog post of its own to provide more information.
According to Ormandy, the flaw existed due to the websiteConnector.js content script proxying unauthenticated messages to the extension, giving an attacker complete access to internal LastPass RPC commands (e.g. for copying or filling in passwords).
Shortly after LastPass announced the fix, the expert said on Twitter that he identified another vulnerability that can be exploited to steal passwords for any domain.
This is not the only web browser extension analyzed by Ormandy. The expert previously reported finding flaws in Cisco WebEx, AVG Web TuneUp, and an extension installed silently by Adobe with Acrobat and Reader updates.
UPDATE. LastPass said it addressed all the vulnerabilities found by Ormandy. The company has published a blog post and the researcher made public two more advisories.
Related: Popular Android Password Managers Expose Credentials
Related: LastPass Attack Could Result in Full Account Compromise
Related: LastPass Rushes to Patch Flaw That Exposed User Passwords

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- VMware ESXi Servers Targeted in Ransomware Attack via Old Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- GoAnywhere MFT Users Warned of Zero-Day Exploit
- UK Car Retailer Arnold Clark Hit by Ransomware
- EV Charging Management System Vulnerabilities Allow Disruption, Energy Theft
- Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking
Latest News
- Comcast Wants a Slice of the Enterprise Cybersecurity Business
- Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping
- New York Attorney General Fines Vendor for Illegally Promoting Spyware
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- 20 Million Users Impacted by Data Breach at Instant Checkmate, TruthFinder
- Cyber Insights 2023 | Zero Trust and Identity and Access Management
- Cyber Insights 2023 | The Coming of Web3
- European Police Arrest 42 After Cracking Covert App
