Skip to main content
  1. Home
  2. Computing
  3. News

Latest bugs in LastPass allowed attackers to steal passwords

By

A hand on a laptop in a dark surrounding.
Image used with permission by copyright holder
Password manager LastPass is patching a number of critical vulnerabilities in its software that left users’ passwords potentially leaking.

No software is ever totally safe and while password managers can offer a degree of security and convenience, they are not impervious as these security flaws demonstrate.

Recommended Videos

The latest bugs were discovered by Google Project Zero researcher Tavis Ormandy, who is renown for finding and disclosing flaws in security software. Ormandy said he found a vulnerability that allows for the stealing of passwords by running a binary version of the password manager’s extension.

Related

In a proof of concept, Ormandy demonstrated using the code to launch an application. He opened the calculator in Windows but, he said, a malicious actor could use this code to steal password details when the manager is entering them into the login fields.

“That doesn’t look good, this script will proxy unauthenticated window messages to the extension. This is clearly a mistake, because anybody can do [it],” he wrote in his advisory.

“Therefore, this allows complete access to internal privileged LastPass RPC [remote procedure calls] commands,” he said.

I found another bug in LastPass 4.1.35 (unpatched), allows stealing passwords for any domain. Full report will be on the way shortly. pic.twitter.com/9VkV7R3vud

— Tavis Ormandy (@taviso) March 21, 2017

LastPass said in a tweet that this has been fixed and promised a blog post with more details on what went wrong but the post has yet to materialize.

Ormandy also found remote code execution vulnerabilities in the password manager’s Chrome and Firefox extensions. The Chrome bug has since been patched but the Firefox version remains unpatched for now but this may be due to a hold up on Mozilla’s end.

“We are aware of reports of a Firefox add-on vulnerability. Our security is investigating and working on issuing a fix,” said LastPass on Tuesday night.

This isn’t the first time that Ormandy has poked holes in LastPass’ software. In 2016, he disclosed a Firefox-related flaw that would have allowed an attacker to access someone’s extension, without them knowing, and delete the passwords.

Editors' Recommendations

Topics
Jonathan Keane
Jonathan Keane
Former Digital Trends Contributor
Jonathan is a freelance technology journalist living in Dublin, Ireland. He's previously written for publications and sites…
AMD’s gaming revenue is down by 48%, and it won’t get better
The AMD Radeon RX 7900 XTX graphics card.

AMD has made some of the best graphics cards in the last few years, and yet its gaming GPU market still appears to be fairly niche when compared to Nvidia's gigantic share. This sentiment is backed by AMD's most recent earnings call, which revealed that its gaming revenue is down by a staggering 48% year-over-year.

Things have been looking kind of grim ever since rumors started spreading that AMD may be giving up on the high-end portion of the GPU market. There have been whispers that AMD may have had a perfectly viable high-end graphics card that it decided not to launch, instead focusing on the mainstream segment. The earnings call gives some context to these rumors.

Read more
Best MacBook deals: Get an Air for $605 and save on M3 MacBook Pro
A MacBook Pro M2 sits on a wooden table with a nice bokeh background.

Apple has been in the laptop game for quite a while now, and its MacBook Air and MacBook Pro lineups are some of the best laptops on the market, especially since Apple has started using its own chips. Of course, you do have to pay a premium for the brand name and the product, and if you're thinking of grabbing one of these, then you may need to rely on some solid Apple deals to get you through. That's why we've scoured some of the biggest retailers online and found the best deals we could, whether you want an early-model MacBook Air M1 or the latest M3 MacBook Pro. That said, if you're not really feeling any of these MacBooks, be sure to check out these other great laptop deals instead. To complete your full Apple suite, pair a new MacBook with AirPods deals, Apple Watch deals and iPhone deals.
Best MacBook Air (M1) deals

The Apple MacBook Air (M1) started a seismic shift for Apple being the first of its Airs to have an Apple-based processor. We took a look at the differences between the M2 and M1 and the M1 is still looking pretty great. It's also a touch nearer to affordable than anything else here. Fast yet fanless so it's silent to use, you gain an 18-hour battery life, a gorgeous looking 13.3-inch Retina display along with all the effortless style you'd expect from an Apple device. These laptops are best for students or those who want something stylish yet reasonably powerful to use on the move. Nowadays, deals are becoming a little harder to come by unless you're willing to consider a refurbished/renewed model.

Read more
Hurry! Surface Pro 9 and Surface Laptop 5 have hefty price cuts today
The Surface Pro 9 in laptop mode on a table.

Microsoft's Surface devices are high-performance machines that are designed to maximize the capabilities of Windows 11. If you're on the lookout for Surface Laptop and Surface Pro deals, don't miss this chance to get a discount from Best Buy on the latest consumer models, as the Surface Pro 10 and Surface Laptop 6 are only available for commercial users for now. The Microsoft Surface Pro 9 is on sale for only $800, for $300 in savings on its original price of $1,100, while the Microsoft Surface Laptop 5 is also down to $800, for $500 in savings on its sticker price of $1,300. You better hurry with your purchase though, as we're not sure when these offers will expire.
Microsoft Surface Pro 9 -- $800, was $1,100

Microsoft Surface Laptop 5 -- $800, was $1,300

Read more