For the second time in a few months, LastPass had to address serious security flaws in its password manager browser extensions, this time in both Google Chrome and Mozilla Firefox.
The two new vulnerabilities, one involving a website connector bug and the other being a Firefox based message hijacking bug, were discovered by Tavis Ormandy, a security researcher on Google’s Project Zero team. To exploit these vulnerabilities, an attacker would start out by luring a user to a malicious website. Once on the website, the attacker could make calls into LastPass APIs, or in some cases run arbitrary code, while appearing as a trusted party. Doing so would allow the attacker to potentially retrieve and expose information from the LastPass account, such as a user’s login credentials.
“An issue with the architecture for a consumer onboarding feature affected clients on which that code appeared (Chrome, Firefox, Edge). A malicious website could trick LastPass by masking as a trusted party and steal site credentials. Users running the LastPass binary component (less than 10% of LastPass user base) were further susceptible to remote exploit when lured to a malicious website,” said Lauren VanDam of LastPass.
The company said that it has no indications that any user data has been stolen.
In addition to the new website connector vulnerability, the Firefox bug from July came back, due to the fact that an update was not pushed to legacy Firefox versions, keeping the vulnerability open for those using older versions of Mozilla’s web browser. That vulnerability gave attackers access to LastPass OpenURL command, allowing access to any of the privileged LastPass RPCs, essentially a complete compromise of the LastPass addon. From that point an attacker can create and delete files, execute scripts, steal all passwords, and take other malicious actions.
LastPass on Wednesday released a fix for all users that addresses the two vulnerabilities. The company said that an attacker would need to get a victim to visit a malicious site in order to exploit the vulnerability, something that’s not at all difficult to do. LastPass has marked the bug as resolved in a post on it’s blog and has also tweeted that they are working with Ormandy to ensure that these security vulnerabilities won’t come back again to haunt them.
The company said that it has no indications that any user data has been stolen using these flaws and stressed that the mobile apps weren’t affected by the vulnerabilities.
In July, Ormandy identified a separate vulnerability in the LastPass extension for Firefox that allowed an attacker to compromise a victim’s account completely.