UPDATED: Google Project Zero researcher discovers yet another bug in LastPass Firefox extension
Updated: Password manager LastPass has rushed to patch yet another flaw in its browser extension for Firefox that could have enabled a hacker to gain full code execution on a targeted machine.
The flaw was found by Google PRoject Zero security researcher Travis Ormandy, who reported reported the bug to LassPass, which hurried to fix it.
“We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post mortem once this work is complete,” said Joe Siegrist of LastPass.
The exploit affected LastPass 4.1.43 Firefox browser extension.
The bug report follows mere days after Ormandy informed LastPass over a trio of bugs affecting its extension for Google’s Chrome browser and Firefox. LastPass rapidly squashed the bugs before they could be exploited.
Two bugs were discovered to have affected extensions in Firexfox version 3.3;2, while only a single bug blighted the LastPass browser add-on in Chrome.
Ormandy detailed how passwords could have been extracted from LastPass if hackers were to exploit them by attracting users to a malicious website then making calls to LastPass application programming interfaces (APIs) or running arbitrary code while appearing as a trusted party.
This attack vector would have allowed a hacker to attack the intermediary JS script that sits between the affected browser extension and LastPass’ cloud service, which acts as the storage for its users passwords.
“It’s possible to proxy untrusted messages to LastPass 4.1.42 due to a bug, allowing websites to access internal privileged RPCs (Remote Procedure Calls). ” Project Zero security researcher Travis Ormandy explained.
“There are a lot of RPCs, allowing complete control of the LastPass extension, including stealing passwords. If you have the ‘Binary Component’ installed, this even allows arbitrary code execution.”
The vulnerability was widespread affecting more than just Chrome and Firefox browsers on Windows PCs, however LastPass explained that its investigation into the bugs ha not thrown up any incidences where the bugs were exploited and passwords were stolen.
And the company noted that LastPass on mobile operating systems, notably Android and iOS were not affected by the bugs.
Having patched the bugs, LastPass noted that there is no need for users to change their master passwords or the credentials for logging into other online services, but they will need to ensure LastPass is updated to the latest version rolled out by the company.
LastPass reiterated that it is committed to bolstering the security of its service and that of its users: “To prevent these issues in the future, we are reviewing and strengthening our code review and security processes in place today, particularly around new and experimental features.”