Critical vulnerabilities found in the Chrome and Firefox extensions of the LastPass password manager can be exploited to steal passwords, warned Google Project Zero researcher Tavis Ormandy.
The expert has discovered several flaws, but only one of them appears to have been patched by LastPass developers.
Ormandy first reported finding a vulnerability in the Firefox version of the LastPass extension (version 3.3.2). The details of the security hole have not been made public. LastPass, which has 90 days to release a fix before details are disclosed by Project Zero, says it’s aware of the flaw and its security team is working on a patch.
We are aware of reports of a Firefox add-on vulnerability. Our security is investigating and working on issuing a fix.
— LastPass (@LastPass) March 22, 2017
On Tuesday, the Project Zero researcher reported finding another vulnerability that affected both the Chrome and Firefox versions of LastPass. The weakness allowed a hacker to steal a user’s passwords and, if the binary component was enabled, execute arbitrary code via remote procedure call (RPC) commands. The attack could have been carried out by getting the targeted user to access a specially crafted web page.
LastPass implemented a temporary mitigation within hours after learning of the flaw’s existence, and claimed to have fully patched the issue on the server side soon after. Users are not required to take any action.
Ormandy has made public the details of this vulnerability, including proof-of-concept (PoC) code, and LastPass has promised to publish a blog post of its own to provide more information.
According to Ormandy, the flaw existed due to the websiteConnector.js content script proxying unauthenticated messages to the extension, giving an attacker complete access to internal LastPass RPC commands (e.g. for copying or filling in passwords).
Shortly after LastPass announced the fix, the expert said on Twitter that he identified another vulnerability that can be exploited to steal passwords for any domain.
This is not the only web browser extension analyzed by Ormandy. The expert previously reported finding flaws in Cisco WebEx, AVG Web TuneUp, and an extension installed silently by Adobe with Acrobat and Reader updates.
UPDATE. LastPass said it addressed all the vulnerabilities found by Ormandy. The company has published a blog post and the researcher made public two more advisories.
Related: Popular Android Password Managers Expose Credentials
Related: LastPass Attack Could Result in Full Account Compromise
Related: LastPass Rushes to Patch Flaw That Exposed User Passwords

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- NIST Publishes Final Version of 800-82r3 OT Security Guide
- Johnson Controls Hit by Ransomware
- Verisoul Raises $3.25 Million in Seed Funding to Detect Fake Users
- Government Shutdown Could Bench 80% of CISA Staff
- Google Rushes to Patch New Zero-Day Exploited by Spyware Vendor
- macOS 14 Sonoma Patches 60 Vulnerabilities
- New GPU Side-Channel Attack Allows Malicious Websites to Steal Data
Latest News
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- National Security Agency is Starting an Artificial Intelligence Security Center
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
