Latest bugs in LastPass allowed attackers to steal passwords

By Jonathan Keane March 22, 2017

A hand on a laptop in a dark surrounding. — Image used with permission by copyright holder

Password manager LastPass is patching a number of critical vulnerabilities in its software that left users’ passwords potentially leaking.

No software is ever totally safe and while password managers can offer a degree of security and convenience, they are not impervious as these security flaws demonstrate.

The latest bugs were discovered by Google Project Zero researcher Tavis Ormandy, who is renown for finding and disclosing flaws in security software. Ormandy said he found a vulnerability that allows for the stealing of passwords by running a binary version of the password manager’s extension.

In a proof of concept, Ormandy demonstrated using the code to launch an application. He opened the calculator in Windows but, he said, a malicious actor could use this code to steal password details when the manager is entering them into the login fields.

“That doesn’t look good, this script will proxy unauthenticated window messages to the extension. This is clearly a mistake, because anybody can do [it],” he wrote in his advisory.

“Therefore, this allows complete access to internal privileged LastPass RPC [remote procedure calls] commands,” he said.

I found another bug in LastPass 4.1.35 (unpatched), allows stealing passwords for any domain. Full report will be on the way shortly. pic.twitter.com/9VkV7R3vud

— Tavis Ormandy (@taviso) March 21, 2017

LastPass said in a tweet that this has been fixed and promised a blog post with more details on what went wrong but the post has yet to materialize.

Ormandy also found remote code execution vulnerabilities in the password manager’s Chrome and Firefox extensions. The Chrome bug has since been patched but the Firefox version remains unpatched for now but this may be due to a hold up on Mozilla’s end.

“We are aware of reports of a Firefox add-on vulnerability. Our security is investigating and working on issuing a fix,” said LastPass on Tuesday night.

This isn’t the first time that Ormandy has poked holes in LastPass’ software. In 2016, he disclosed a Firefox-related flaw that would have allowed an attacker to access someone’s extension, without them knowing, and delete the passwords.

Editors' Recommendations

Topics

Former Digital Trends Contributor

Jonathan is a freelance technology journalist living in Dublin, Ireland. He's previously written for publications and sites…

Computing

This ‘Swiss Army Knife’ app transformed how I play PC games

A monitor showing the Special K mod in Elden Ring.

Most PC games aren't perfect. I'd go as far to say that most of them have problems -- especially considering the disastrous PC launches we've seen this year. If a game is popular enough, and open enough, you can lean on community mods to get your game in a better state. But what if there was an app that could help your performance and add missing features to all of your PC games?

There is, and it's called Special K from developer Kaldaien. It was originally created as a tool to fix the issues in the PC releases of Fallout 4 and Batman: Arkham Knight, the latter of which is one of the worst PC ports of all time. Since then, it has grown tremendously into a self-proclaimed "Swiss Army Knife" for PC game modding.

Computing

This Razer 27-inch QHD gaming monitor just got a massive discount

Playing a game on the Razer Raptor gaming monitor.

Razer has a reputation for making some of the best gaming laptops and peripherals on the market and is often viewed as the high-end equivalent of the gaming market, in the same vein as Apple or Mercedes. What you may not know is that Razer also makes high-end gaming monitors, and the Razer Raptor 27 is an excellent example of it, as it has a lot of great features under the hood that any gamer would love. While it usually comes at the steep cost of $800, Razer is offering a massive discount on it of %50, meaning you can grab the Raptor 27 for just $400, which is a steal.

Why you should buy the Razer Raptor 27
Right off the bat, one of the things that let the Raptor 27 compete with the best gaming monitors is the impressive 165Hz refresh rate at 1440p resolution. That means you get a lot of room to adjust whether you want a higher resolution for single-layer games or a higher refresh rate for multiplayer and action-packed games where each frame counts. Or, if you have one of the best GPUs right now, such as the AMD Radeon RX 7900 XTX, you can easily push both the refresh rate and resolution to their limits, even on the highest graphical settings.

Computing

Insane deal knocks $900 off the Razer Blade 17 gaming laptop

Razer Blade 17 on a table.

Razer is known for making some of the best laptops in the market, although they're equally well-known for being a high-end brand that is often quite expensive. Even so, if you're looking for a unique laptop, Razer is probably where you'd look, and in this case, if you want one of the best 17-inch gaming laptops, you'd be hard-pressed to find one better than the Razer Blade 17. Of course, it does come at a pretty penny, although Razer is running a great deal right now that discounts the Blade 17 down to $2,300 rather than the usual $3,200, a significant 28% discount.

Why you should buy the Razer Blade 17
Probably one of the first things you'll want to know about this Razer Blade 17 is what sort of GPU it runs, and we're happy to report that you'll find the relatively powerful RTX 3070 Ti under the hood. That's a card that can provide reasonably good 4k performance, which is good because the Blade 17 comes with a gorgeous 17-inch 2k resolution panel. As such, the RTX 3070Ti will easily run most games on high resolution and graphical settings without much issue. The panel also has a very impressive 240Hz refresh rate, which means that if you're going to be playing competitive or action-packed games where each frame counts, you can get some high refresh rates from the RTX 3070 Ti, with a few graphical compromises, of course.