14 DAY TRIAL // LastPass, the password vault that you were supposed to trust with your information, was affected by a critical security flaw. Thankfully, the company has already patched things up.
This wasn't even some very complicated problem, but rather a coding error. At least that's the opinion of Google's Tavis Ormandy, security expert who has detected numerous problems over the years, including the recent Cloudflare incident.
The white hat found the issue within the LastPass Chrome extension. According to Ormandy, the extension had an exploitable content script that could be attacked to extract passwords from the manager. It could also be pushed to execute commands on the victim's computer, which the Google hacker demonstrated easily.
"This script will proxy unauthenticated window messages to the extension. This is clearly a mistake," Ormandy writes.
Nothing was safe
Since LastPass works by storing passwords in the cloud, the browser extension is your link to the LastPass account, helping you save new information as you browse the Internet.
The vulnerability made it dangerous for users to even browse a malicious website as all your passwords could have been picked up by attackers.
"This allows complete access to internal privileged LastPass RPC commands. There are hundreds of internal LastPass RPCs, but the obviously bad ones are things copying and filling in passwords (copypass, fillform, etc)," Ormandy added in his report.
It seems that all one needed to exploit the vulnerability was two simple lines of JavaScript code.
Thankfully, LastPass has already fixed the issue within its Chrome extension by disabling 1min-ui-prod.service.lastpass.com. As always, the company had been notified early on about the discovered vulnerability and worked directly with Tavis to verify the report and to create and issue a fix.
Firefox too
A similar vulnerability was then discovered within the LastPass Firefox extension, a bug that could be exploited by malicious webpages to extract passwords straight from the manager.
It looks like LastPass has already issued a patch to fix the addon, but the updated version is in Mozilla's review process so it may take a little bit longer for it to go live.