A Security Researcher from Google Project Zero, Travis Ormandy have found a critical code execution bug on LastPass that allow attackers to steal all the saved password of users.
The bug has been found on the browser extensions of Chrome and Firefox. There is good news that chrome extension bug has been patched but Firefox extension remains open, putting all users at risk.
"This allows complete access to internal privileged LastPass RPC commands," the researcher said. "There are hundreds of internal LastPass RPCs, but the obviously bad ones are things copying and filling in passwords (copypass, fillform, etc)."
LastPass worked around the issue by returning a DNS error on the affected domain. The company said on Twitter it would be providing further details on the issue in a future blog post.
This is not the first time that Ormandy had hooked LastPass, earlier also he found a bugs that allowed for a remote compromise of LastPass accounts.
The bug has been found on the browser extensions of Chrome and Firefox. There is good news that chrome extension bug has been patched but Firefox extension remains open, putting all users at risk.
"This allows complete access to internal privileged LastPass RPC commands," the researcher said. "There are hundreds of internal LastPass RPCs, but the obviously bad ones are things copying and filling in passwords (copypass, fillform, etc)."
One unbelievable thing thing that Ormandy added is, LastPass team failed to reproduce the bug and said his exploit code is not working, however researcher was calling the Windows Calculator executable in his code, while LastPass was examining the code on a Mac.
And obviously calc.exe will not available on Mac. 😁😁😁
I found another bug in LastPass 4.1.35 (unpatched), allows stealing passwords for any domain. Full report will be on the way shortly. pic.twitter.com/9VkV7R3vud— Tavis Ormandy (@taviso) March 21, 2017
This is not the end, as Ormandy have found another critical bug on LastPass 4.1.35 (unpatched), that allows the stealing password for any domain. The full report is coming soon of this.