Only affects version on (3.3.2), report on way. ![]() Wrote a quick exploit for another LastPass vulnerability. ![]() Again, the vulnerability can be exploited by malicious webpages to extract passwords from the manager. ![]() Late last week, Ormandy found another LastPass vulnerability, this time in its Firefox extension. It has been a busy weekend for LastPass software engineers. It's probably best to disable the Chrome extension until a version newer than 4.1.42, dated March 14, is sent out with an actual working fix. That LastPass backend system resolves to 23.72.215.179 for us right now, and is still up. It appears LastPass's fix for the Chrome extension issue was to quickly disable – although some say the server is still working for them, so they are still vulnerable. As always, we recommend that users keep their software updated to the latest versions." We were notified early on – our team worked directly with Tavis to verify the report made, and worked quickly to issue the fix. "We have made our LastPass community aware of the report made by Tavis Ormandy and have confirmed that the vulnerabilities have been fixed. ![]() "We greatly appreciate the work of the security community to challenge our product and uncover areas that need improvement," Joe Siegrist, cofounder and VP of LastPass, told The Register. The password manager developer has experience with Ormandy after he found another flaw in its code last year that could compromise a punter's passwords just by visiting the wrong website. There are hundreds of internal LastPass RPCs, but the obviously bad ones are things copying and filling in passwords (copypass, fillform, etc)."Īll that's needed to exploit the vulnerability are two simple lines of JavaScript code, which Ormandy supplied: "This allows complete access to internal privileged LastPass RPC commands.
0 Comments
Leave a Reply. |