Skip to main content
  1. Home
  2. Computing
  3. News

Latest bugs in LastPass allowed attackers to steal passwords

Jonathan Keane
By

A hand on a laptop in a dark surrounding.
Image used with permission by copyright holder
Password manager LastPass is patching a number of critical vulnerabilities in its software that left users’ passwords potentially leaking.

No software is ever totally safe and while password managers can offer a degree of security and convenience, they are not impervious as these security flaws demonstrate.

Recommended Videos

The latest bugs were discovered by Google Project Zero researcher Tavis Ormandy, who is renown for finding and disclosing flaws in security software. Ormandy said he found a vulnerability that allows for the stealing of passwords by running a binary version of the password manager’s extension.

Related

In a proof of concept, Ormandy demonstrated using the code to launch an application. He opened the calculator in Windows but, he said, a malicious actor could use this code to steal password details when the manager is entering them into the login fields.

“That doesn’t look good, this script will proxy unauthenticated window messages to the extension. This is clearly a mistake, because anybody can do [it],” he wrote in his advisory.

“Therefore, this allows complete access to internal privileged LastPass RPC [remote procedure calls] commands,” he said.

I found another bug in LastPass 4.1.35 (unpatched), allows stealing passwords for any domain. Full report will be on the way shortly. pic.twitter.com/9VkV7R3vud

— Tavis Ormandy (@taviso) March 21, 2017

LastPass said in a tweet that this has been fixed and promised a blog post with more details on what went wrong but the post has yet to materialize.

Ormandy also found remote code execution vulnerabilities in the password manager’s Chrome and Firefox extensions. The Chrome bug has since been patched but the Firefox version remains unpatched for now but this may be due to a hold up on Mozilla’s end.

“We are aware of reports of a Firefox add-on vulnerability. Our security is investigating and working on issuing a fix,” said LastPass on Tuesday night.

This isn’t the first time that Ormandy has poked holes in LastPass’ software. In 2016, he disclosed a Firefox-related flaw that would have allowed an attacker to access someone’s extension, without them knowing, and delete the passwords.

Editors' Recommendations

Topics
Jonathan Keane
Jonathan Keane
Former Digital Trends Contributor
Jonathan is a freelance technology journalist living in Dublin, Ireland. He's previously written for publications and sites…
It’s time to stop believing these PC building myths
Hyte's Thicc Q60 all-in-one liquid cooler.

As far as hobbies go, PC hardware is neither the cheapest nor the easiest one to get into. That's precisely why you may often run into various misconceptions and myths.

These myths have been circulating for so long now that many accept them as a universal truth, even though they're anything but. Below, I'll walk you through some PC beliefs that have been debunked over and over, and, yet, are still prevalent.
Liquid cooling is high-maintenance (and scary)

Read more
AMD’s next-gen CPUs are much closer than we thought
AMD Ryzen 7 7800X3D held between fingertips.

We already knew that AMD would launch its Zen 5 CPUs this year, but recent motherboard updates hint that a release is imminent. Both MSI and Asus have released updates for their 600-series motherboards that explicitly add support for "next-generation AMD Ryzen processors," setting the stage for AMD's next-gen CPUs.

This saga started a few days ago when hardware leaker 9550pro spotted an MSI BIOS update, which they shared on X (formerly Twitter). Since then, Asus has followed suit with BIOS updates of its own featuring a new AMD Generic Encapsulated Software Architecture (AGESA) -- the firmware responsible for starting the CPU -- that brings support for next-gen CPUs (spotted by VideoCardz).

Read more
AMD Zen 5: Everything we know about AMD’s next-gen CPUs
The AMD Ryzen 5 8600G APU installed in a motherboard.

AMD Zen 5 is the next-generation Ryzen CPU architecture for Team Red and is slated for a launch sometime in 2024. We've been hearing tantalizing rumors for a while now and promises of big leaps in performance. In short, Zen 5 could be very exciting indeed.

We don't have all the details, but what we're hearing is very promising. Here's what we know about Zen 5 so far.
Zen 5 release date and availability
AMD confirmed in January 2024 that it was on track to launch Zen 5 sometime in the "second half of the year." Considering the launch of Zen 4 was in September 2022, we would expect to see Zen 5 desktop processors debut around the same timeframe, possibly with an announcement in the summer at Computex.

Read more