LastPass Remote Compromise vulnerability

LastPass has a bunch of critical problems of which at least one allows attackers to compromise the password manager remotely according to Google researcher Tavis Ormandy.

LastPass is one of the most popular online password management services on today's Internet. The service offers extensions for various browsers, mobile apps, and dedicated solutions for various operating systems and devices.

A full report was sent to LastPass by Tavis Ormandy and it appears that the company is working on analyzing and fixing the issues at the time of writing.

The issues have not been disclosed publicly yet. While that is the right thing to do until they are fixed, it means that LastPass users don't really know if the issue can be mitigated until a fix is provided.

Update: LastPass released a security update for the Firefox add-on. According to a blog post on the official site, an attacker could lure a LastPass user to a malicious site to execute LastPass actions in the background without the user knowing about them. This has been fixed in LastPass 4.0 for Firefox.

Additional information about the reported issue are available on the Project Zero forum over at Chromium.org.

LastPass Remote Compromise vulnerability

The only information provided are the following two tweets:

Are people really using this lastpass thing? I took a quick look and can see a bunch of obvious critical problems. I'll send a report asap.

Full report sent to LastPass, they're working on it now. Yes, it's a complete remote compromise. Yes, I promise I'll look at 1Password.

Considering that, it is unclear if features such as two-factor authentication or use of other security add-ons protect users and data from attacks. In fact, it is not even clear if LastPass' network and infrastructure, the browser extension, mobile apps or other products are affected by the vulnerability.

It can very well be that only the browser extension is affected, considering that it is the most likely that Tavis took a look at due to its availability for the Chrome browser.

The security researcher set his sight on the next password manager, 1Password which is up next according to a Twitter message.

Password managers store critical data. This makes them one of the most important programs for a user, and a lucrative target for attackers.

The disclosed security issue is not the first incident in LastPass' history.  In 2015, LastPass confirmed that it detected suspicious activity on the company network. Only recently, another issue was reported and fixed that allowed attackers to extract passwords using the extension's autofill functionality.

LastPass is usually very responsive and fast when it comes to the patching of security issues affecting company products. We will update the article when new information come to light.