A few days after LastPass released a fix for some critical security flaws in its extensions for Chrome and Firefox, a researcher has identified a new vulnerability in the browser extension that allows an attacker to get full code execution on a target machine.
The details of the new bug are not public yet, but Tavis Ormandy, the Google researcher who has discovered all of these vulnerabilities, has sent the information to LastPass and the company said it is working on a fix. LastPass officials characterized the new vulnerability as requiring a highly sophisticated attack to exploit. Ormandy said over the weekend that he had developed an exploit for the vulnerability in LastPass 4.1.43.
“Over the weekend, Google security researcher Tavis Ormandy reported a new client-side vulnerability in the LastPass browser extension. We are now actively addressing the vulnerability. This attack is unique and highly sophisticated. We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post mortem once this work is complete,” Joe Siegrist of LastPass said in a post on the new vulnerability.
Ormandy, who works on Google’s Project Zero research team, has been looking at weaknesses in various password managers over the last few months and has identified a number of vulnerabilities in LastPass and 1Password. Most recently, he found a pair of critical vulnerabilities in the LastPass browser extensions that could enable an attacker to steal a user’s credentials, or in some cases gain remote code execution.
“An issue with the architecture for a consumer onboarding feature affected clients on which that code appeared (Chrome, Firefox, Edge). A malicious website could trick LastPass by masking as a trusted party and steal site credentials. Users running the LastPass binary component (less than 10% of LastPass user base) were further susceptible to remote exploit when lured to a malicious website,” said Lauren VanDam of LastPass.
Officials at LastPass did not specify when a fix for the new flaw would be available, but the company has released patches fairly quickly in the past.