Full LastPass 4.1.42 Exploit Discovered

Password managers must make an incredibly tempting target for hackers. Heads up, LastPass users!

Tavis Ormandy, a prolific member of Google’s Project Zero initiative, revealed that he discovered a new security issue in LastPass 4.1.42 (and maybe earlier). Ormandy revealed that he discovered an exploit, but did not reveal it. Project Zero discoveries are reported to the companies who produce the affected products. The companies have 90 days to react, usually by creating a new product version that they make available publicly to all customers.

The information is scarce at this point in time, but it does paint a grim picture. On Twitter, he said the following:

Oops, new LastPass bug that affects 4.1.42 (Chrome&FF). RCE if you use the “Binary Component”, otherwise can steal pwds. Full report on way.

He mentions the latest version of LastPass for Google Chrome and Firefox explicitly (version 4.1.42), and that the exploit can be used for remote code execution, or the stealing of passwords.

lastpass 4.1.42 exploit

Later on he revealed that he has a full working exploit that works without any prompts on Windows, and is just two lines of code. Also, he noted that the exploit could also work on other platforms.

I have a full exploit working without any prompts on Windows, could be made to work on other platforms. Sent details to LastPass.

Full exploit is two lines of javascript. #sigh ¯\_(ツ)_/¯

LastPass posted a message on Twitter stating that it is aware of the reported issue, and that it is working on a solution, and has put a workaround in place.

We are aware of the report by @taviso and our team has put a workaround in place while we work on a resolution. Stay tuned for updates.

Soon thereafter, the company posted a second message that the reported issue was resolved.

The issue reported by Tavis Ormandy has been resolved. We will provide additional details on our blog soon.

According to the tweet, no user action is required at this point in time. Note: We will update the news article when the LastPass blog post goes live.

This new LastPass bug is not the first that Tavis Ormandy discovered. Ormandy discovered a remote compromise vulnerability in LastPass back in mid-2016.

In 2015, LastPass detected suspicious activity on the company network, and more recently, in 2017, issues were discovered in the password manager’s mobile application for Android.

It is unclear how attackers may exploit the newly discovered security issue. LastPass customers who want to be on the safe side of things should consider disabling the password manager for the time being until the security issue is patched. Those who cannot do that should be very careful when it comes to the sites they visit on the Internet.

Link to Original Content

Tags: , , , ,

Comments are closed.