Google Project Zero researcher Tavis Ormandy has identified yet another serious vulnerability in the LastPass browser extension. The developers of the password manager are aware of the flaw and are working on a patch.
Since the vulnerability has not been fixed, only few details have been made public by Ormandy and LastPass. The researcher said the security hole affects the latest version of the app, and the exploit he developed should work on all web browsers.
Similar to a previously found weakness, this vulnerability can be exploited to steal a user’s passwords and, if the LastPass binary component is enabled, execute arbitrary code.
“This attack is unique and highly sophisticated,” LastPass said in a blog post. “We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post mortem once this work is complete.”
Since these vulnerabilities can typically be exploited by getting the targeted user to access a specially crafted web page, LastPass has advised customers to protect themselves against potential attacks by using the LastPass Vault to access websites in order to ensure that the site they visit is legitimate. Users have also been advised to enable two-factor authentication when possible and beware of phishing attempts.
In recent weeks, Ormandy has identified several serious LastPass vulnerabilities that can be exploited to steal user passwords or execute arbitrary code. LastPass has released patches within days after learning of their existence. The fixes are pushed out automatically and users don’t have to take any action.
There is no evidence of exploitation in the wild and LastPass told users that there is no need to change any passwords.
One of the vulnerabilities found by the Google researcher affected the 3.3.2 version of the Firefox extension. LastPass addressed the vulnerability, but the company pointed out that it plans to retire this branch in the near future.