Critical vulnerabilities found in the Chrome and Firefox extensions of the LastPass password manager can be exploited to steal passwords, warned Google Project Zero researcher Tavis Ormandy.
The expert has discovered several flaws, but only one of them appears to have been patched by LastPass developers.
Ormandy first reported finding a vulnerability in the Firefox version of the LastPass extension (version 3.3.2). The details of the security hole have not been made public. LastPass, which has 90 days to release a fix before details are disclosed by Project Zero, says it’s aware of the flaw and its security team is working on a patch.
We are aware of reports of a Firefox add-on vulnerability. Our security is investigating and working on issuing a fix.
— LastPass (@LastPass) March 22, 2017
On Tuesday, the Project Zero researcher reported finding another vulnerability that affected both the Chrome and Firefox versions of LastPass. The weakness allowed a hacker to steal a user’s passwords and, if the binary component was enabled, execute arbitrary code via remote procedure call (RPC) commands. The attack could have been carried out by getting the targeted user to access a specially crafted web page.
LastPass implemented a temporary mitigation within hours after learning of the flaw’s existence, and claimed to have fully patched the issue on the server side soon after. Users are not required to take any action.
Ormandy has made public the details of this vulnerability, including proof-of-concept (PoC) code, and LastPass has promised to publish a blog post of its own to provide more information.
According to Ormandy, the flaw existed due to the websiteConnector.js content script proxying unauthenticated messages to the extension, giving an attacker complete access to internal LastPass RPC commands (e.g. for copying or filling in passwords).
Shortly after LastPass announced the fix, the expert said on Twitter that he identified another vulnerability that can be exploited to steal passwords for any domain.
This is not the only web browser extension analyzed by Ormandy. The expert previously reported finding flaws in Cisco WebEx, AVG Web TuneUp, and an extension installed silently by Adobe with Acrobat and Reader updates.
UPDATE. LastPass said it addressed all the vulnerabilities found by Ormandy. The company has published a blog post and the researcher made public two more advisories.
Related: Popular Android Password Managers Expose Credentials
Related: LastPass Attack Could Result in Full Account Compromise
Related: LastPass Rushes to Patch Flaw That Exposed User Passwords