Google hacker found a third flaw in the LastPass password manager in a few weeks

The Google hacker Tavis Ormandy discovered a third flaw in LastPass password manager in a few weeks, the expert provided a few details about the issue.

A couple of weeks ago, the notorious Google Project Zero hacker Tavis Ormandy discovered numerous vulnerabilities in the Chrome and Firefox extensions of the LastPass password manager.

The company quickly started fixing the issue but the popular hackers announced the discovery of new bugs while completing its tests.

Now the development team is hardly working to solve a serious flaw that could be exploited by attackers to steal user passcodes by simply tricking victims into visiting a specifically crafted malicious website, the flaw also allows hackers in some cases to execute malicious code on computers running the program.

This is the third flaw discovered by Ormandy this month, the expert provided a few details about the issue across the weekend.

The expert announced to have developed a PoC exploit code that shared with the LastPass development team that have three months to patch the issue before Project Zero discloses technical details.

“It will take a long time to fix this properly,” Ormandy said. “It’s a major architectural problem. They have 90 days, no need to scramble!”

When people has the LastPass binary running, the vulnerability could be exploited to allow malicious sites to execute arbitrary code on the visitor’s machine.

The flaw could also be exploited in the absence of the LastPass binary in a way that lets malicious sites steal passwords from the protected LastPass vault.

The company confirmed that they are already working on a fix, as temporary mitigation they suggest users to enter stored passwords into websites using the LastPass vault as a launch pad for opening websites and to enter passwords and enable two-factor authentication on sites that offer it.

“Over the weekend, Google security researcher Tavis Ormandy reported a new client-side vulnerability in the LastPass browser extension. We are now actively addressing the vulnerability.  This attack is unique and highly sophisticated.” reads the security advisory published by Ormandy.

“In the meantime, we want to thank people like Tavis who help us raise the bar for online security with LastPass, and work with our teams to continue to make LastPass the most secure password manager on the market. And we want to offer our users with a few steps they can take to further protect themselves from these types of client-side issues.”

Below the suggestions published by LastPass.

  1. Use the LastPass Vault as a launch pad – Launch sites directly from the LastPass vault. This is the safest way to access your credentials and sites until this vulnerability is resolved.
  2. Two-Factor Authentication on any service that offers it – Whenever possible, turn on two-factor authentication with your accounts; many websites now offer this option for added security.
  3. Beware of Phishing Attacks – Always be vigilant to avoid phishing attempts. Do not click on links from people you don’t know, or that seem out of character from your trusted contacts and companies. Take a look at our phishing primer.

Stay tuned.

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase