The Google hacker Tavis Ormandy discovered a third flaw in LastPass password manager in a few weeks, the expert provided a few details about the issue.

A couple of weeks ago, the notorious Google Project Zero hacker Tavis Ormandy discovered numerous vulnerabilities in the Chrome and Firefox extensions of the LastPass password manager.

Wrote a quick exploit for another LastPass vulnerability. Only affects version on https://t.co/lGcefN9YXM (3.3.2), report on way. ¯_(ツ)_/¯ pic.twitter.com/AgjASiQMfJ — Tavis Ormandy (@taviso) March 16, 2017

The company quickly started fixing the issue but the popular hackers announced the discovery of new bugs while completing its tests.

Now the development team is hardly working to solve a serious flaw that could be exploited by attackers to steal user passcodes by simply tricking victims into visiting a specifically crafted malicious website, the flaw also allows hackers in some cases to execute malicious code on computers running the program.

This is the third flaw discovered by Ormandy this month, the expert provided a few details about the issue across the weekend.

The expert announced to have developed a PoC exploit code that shared with the LastPass development team that have three months to patch the issue before Project Zero discloses technical details.

“It will take a long time to fix this properly,” Ormandy said. “It’s a major architectural problem. They have 90 days, no need to scramble!”

Ah-ha, I had an epiphany in the shower this morning and realized how to get codeexec in LastPass 4.1.43. Full report and exploit on the way. pic.twitter.com/vQn20D9VCy — Tavis Ormandy (@taviso) March 25, 2017

When people has the LastPass binary running, the vulnerability could be exploited to allow malicious sites to execute arbitrary code on the visitor’s machine.

The flaw could also be exploited in the absence of the LastPass binary in a way that lets malicious sites steal passwords from the protected LastPass vault.

The company confirmed that they are already working on a fix, as temporary mitigation they suggest users to enter stored passwords into websites using the LastPass vault as a launch pad for opening websites and to enter passwords and enable two-factor authentication on sites that offer it.

“Over the weekend, Google security researcher Tavis Ormandy reported a new client-side vulnerability in the LastPass browser extension. We are now actively addressing the vulnerability. This attack is unique and highly sophisticated.” reads the security advisory published by Ormandy.

“In the meantime, we want to thank people like Tavis who help us raise the bar for online security with LastPass, and work with our teams to continue to make LastPass the most secure password manager on the market. And we want to offer our users with a few steps they can take to further protect themselves from these types of client-side issues.”

Below the suggestions published by LastPass.

Use the LastPass Vault as a launch pad – Launch sites directly from the LastPass vault. This is the safest way to access your credentials and sites until this vulnerability is resolved. Two-Factor Authentication on any service that offers it – Whenever possible, turn on two-factor authentication with your accounts; many websites now offer this option for added security. Beware of Phishing Attacks – Always be vigilant to avoid phishing attempts. Do not click on links from people you don’t know, or that seem out of character from your trusted contacts and companies. Take a look at our phishing primer.

Stay tuned.

Pierluigi Paganini

(Security Affairs – password manager, hacking)

Share this...

Linkedin Reddit Pinterest

Share On