LastPass is scrambling to fix a major security vulnerability discovered in version 4.1.42 of its Chrome browser extension.
“Over the weekend, Google security researcher Tavis Ormandy reported a new client-side vulnerability in the LastPass browser extension”, Joe Siegrist from LastPass said in a blog post.
“We are now actively addressing the vulnerability. This attack is unique and highly sophisticated”.
“We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post mortem once this work is complete”, he added.
Ah-ha, I had an epiphany in the shower this morning and realized how to get codeexec in LastPass 4.1.43. Full report and exploit on the way. pic.twitter.com/vQn20D9VCy
— Tavis Ormandy (@taviso) 25 March 2017
The company has given any specific details about the vulnerability but did say it will issue more details once the issue has been fixed.
The vulnerability was discovered over the weekend by Tavis Ormandy from Google’s Project Zero security team, who work to find zero day vulnerabilities around the web.
The discovery of this latest flaw couldn’t have come at a worse time for LastPass.
Just days earlier Ormandy had discovered another major security flaw in its Chrome and Firefox browser extensions, which LastPass acted promptly to fix.
“An issue with the architecture for a consumer onboarding feature affected clients on which that code appeared (Chrome, Firefox, Edge). A malicious website could trick LastPass by masking as a trusted party and steal site credentials. Users running the LastPass binary component (less than 10% of LastPass user base) were further susceptible to remote exploit when lured to a malicious website,” said Lauren VanDam of LastPass.
While it is not clear exactly if or how users have been affected by this latest security flaw, its discovery acts a reminder that while password managers remain arguably the best way to manage your online credentials and keep them safe, they are by no means 100 percent secure.
Until the issue is resolved, LastPass recommends launching sites directly from the LastPass vault, enabling two factor authentication on all services that offer it and beware of phishing attacks.