Tavis Ormandy, a prolific member of Google’s Project Zero initiative, revealed that he discovered a new security issue in LastPass 4.1.42 (and maybe earlier).
Ormandy revealed that he discovered an exploit, but did not reveal it. Project Zero discoveries are reported to the companies who produce the affected products. The companies have 90 days to react, usually by creating a new product version that they make available publicly to all customers.
The information is scarce at this point in time, but it does paint a grim picture. On Twitter, he said the following:
Oops, new LastPass bug that affects 4.1.42 (Chrome&FF). RCE if you use the “Binary Component”, otherwise can steal pwds. Full report on way.
He mentions the latest version of LastPass for Google Chrome and Firefox explicitly (version 4.1.42), and that the exploit can be used for remote code execution, or the stealing of passwords.
Later on he revealed that he has a full working exploit that works without any prompts on Windows, and is just two lines of code. Also, he noted that the exploit could also work on other platforms.
I have a full exploit working without any prompts on Windows, could be made to work on other platforms. Sent details to LastPass.
LastPass posted a message on Twitter stating that it is aware of the reported issue, and that it is working on a solution, and has put a workaround in place.
We are aware of the report by @taviso and our team has put a workaround in place while we work on a resolution. Stay tuned for updates.
Soon thereafter, the company posted a second message that the reported issue was resolved.
The issue reported by Tavis Ormandy has been resolved. We will provide additional details on our blog soon.
According to the tweet, no user action is required at this point in time. Note: We will update the news article when the LastPass blog post goes live.
This new LastPass bug is not the first that Tavis Ormandy discovered. Ormandy discovered a remote compromise vulnerability in LastPass back in mid-2016.
In 2015, LastPass detected suspicious activity on the company network, and more recently, in 2017, issues were discovered in the password manager’s mobile application for Android.
It is unclear how attackers may exploit the newly discovered security issue. LastPass customers who want to be on the safe side of things should consider disabling the password manager for the time being until the security issue is patched. Those who cannot do that should be very careful when it comes to the sites they visit on the Internet.
Update: LastPass has published its own security report on the issue. According to the company, no “sensitive user data was lost or compromised” to the company’s knowledge. This means, that users don’t need to change their master passwords, or any site credentials.
All extensions for browsers have been patched, and one issue was fixed on the server-side.
Now You: Do you use a password manager?
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.