Latest in Culture

Image credit: PashaIgnatov via Getty Images

Critical security flaws found in LastPass on Chrome, Firefox (updated)

Between server-side fixes and updated extensions, the issues have been addressed.
1222 Shares
Share
Tweet
Share
Save

Sponsored Links

PashaIgnatov via Getty Images

Last year Google Project Zero researcher Tavis Ormandy quickly found some "obvious" security problems in the popular password manager LastPass, and now he's done it again. Last week Ormandy mentioned finding an exploit in one version of its extension for Firefox, before following that up with a new bug that affected both Chrome and Firefox, and finally a third vulnerability that could allow "stealing passwords for any domain."

The first vulnerability has apparently not been addressed yet, which Ormandy mentions may be the result of Mozilla needing time to review the updated extension before pushing it to users. Based on his tweet, it could reveal a user's password, but not all of the details have been revealed yet.

The second issue could be more serious, with the ability to steal a user's passwords or, if the binary version of the extension is installed, run any code the attacker tells it to (in an example, Ormandy causes the target's computer to open a Calculator program.) According to LastPass the issue has been resolved, although a promised follow-up blog post with more details has yet to appear.

There's even less info available about the latest vulnerability identified (updated -- see below.)

The pace of these discoveries and the lack of information from LastPass is certainly troubling, although using a password manager to maintain unique passwords can help protect you from being hacked. We've contacted the company and will update this post with any news, however, it may be wise to disable the affected browser extensions for now. If you're suddenly looking for another service to store your important login information, Tavis (who makes a habit of poking holes in security products) suggested KeePass, a manager that doesn't use browser extensions to keep a layer of security between websites and your vault.

Update: LastPass has responded with a blog post. Regarding the bug above that affected clients in Chrome, Firefox and Edge, the company says it applied a server-side workaround. As far as the bug for Firefox 4.1.35a, the company says this has been addressed in a new version pushed last night, so users of that browser should make sure they've updated to 4.136a.
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
1222 Shares
Share
Tweet
Share
Save

Popular on Engadget

Engadget’s guide to Home Entertainment

Engadget’s guide to Home Entertainment

View
Facebook Portal review (2019): A redesign doesn't ease privacy fears

Facebook Portal review (2019): A redesign doesn't ease privacy fears

View
AMC is launching its own on-demand movie service

AMC is launching its own on-demand movie service

View
GoFundMe's new platform is just for charities and nonprofits

GoFundMe's new platform is just for charities and nonprofits

View
The Morning After: Listing 'basically everything' launching with Disney+

The Morning After: Listing 'basically everything' launching with Disney+

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr