Skip to main content

Latest bugs in LastPass allowed attackers to steal passwords

Password manager LastPass is patching a number of critical vulnerabilities in its software that left users’ passwords potentially leaking.

No software is ever totally safe and while password managers can offer a degree of security and convenience, they are not impervious as these security flaws demonstrate.

Recommended Videos

The latest bugs were discovered by Google Project Zero researcher Tavis Ormandy, who is renown for finding and disclosing flaws in security software. Ormandy said he found a vulnerability that allows for the stealing of passwords by running a binary version of the password manager’s extension.

In a proof of concept, Ormandy demonstrated using the code to launch an application. He opened the calculator in Windows but, he said, a malicious actor could use this code to steal password details when the manager is entering them into the login fields.

“That doesn’t look good, this script will proxy unauthenticated window messages to the extension. This is clearly a mistake, because anybody can do [it],” he wrote in his advisory.

“Therefore, this allows complete access to internal privileged LastPass RPC [remote procedure calls] commands,” he said.

https://twitter.com/taviso/status/844312124541186048

LastPass said in a tweet that this has been fixed and promised a blog post with more details on what went wrong but the post has yet to materialize.

Ormandy also found remote code execution vulnerabilities in the password manager’s Chrome and Firefox extensions. The Chrome bug has since been patched but the Firefox version remains unpatched for now but this may be due to a hold up on Mozilla’s end.

“We are aware of reports of a Firefox add-on vulnerability. Our security is investigating and working on issuing a fix,” said LastPass on Tuesday night.

This isn’t the first time that Ormandy has poked holes in LastPass’ software. In 2016, he disclosed a Firefox-related flaw that would have allowed an attacker to access someone’s extension, without them knowing, and delete the passwords.

Jonathan Keane
Former Digital Trends Contributor
Jonathan is a freelance technology journalist living in Dublin, Ireland. He's previously written for publications and sites…
LastPass is scaling back its free tier. Find out if you need to pay
LastPass

LastPass currently offers a free tier that lets a single user access its password manager service on all their mobile devices and computers. But that’s about to change.

Starting March 16, the company will limit its free tier to only one device type, either mobile or computer. So if you select to keep the free tier for mobile, you’ll be asked to pay a fee to continue using the service on computers, and vice versa.

Read more
Leaving LastPass? Here’s how to take all your passwords with you
LastPass

 

If you, like many of us, have been happily using LastPass's excellent free tier for the last few years, you're probably dismayed that LastPass is moving to change the way its free access works. From March 16, you'll only be able to sync your LastPass database between mobile devices or computers -- but not both. So if you want to keep accessing the same passwords on your phone and laptop, you'll have to pay up and join LastPass's premium subscription for $3 a month.

Read more
The dual-GPU Intel Arc B580 might be the new Nvidia Titan
The back of the Intel Arc B580 graphics card.

Just yesterday, we reported that one of Intel's partners might be working on an Arc B580 GPU with 24GB of VRAM, doubling the base memory on the card. Now, it seems that an even more impressive GPU might be in the works, set to rival some of the best graphics cards. According to new leaks, we might soon see a dual-GPU Arc B580 with a whopping 48GB of VRAM.

It's been a while since we've seen a dual-GPU anything, much less from Intel. The company's graphics division always targets the mainstream market, with a focus on bringing forth affordable solutions for everyone. Even workstation-oriented Arc GPUs don't aim that high. Still, VideoCardz cites its own sources as it claims that one of Intel's partners is indeed working on such a beastly graphics cards.

Read more