U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Vulnerabilities in LastPass allowed attackers to steal passwords

The notorious Google Project Zero hacker Tavis Ormandy discovered numerous vulnerabilities in the Chrome and Firefox extensions of the LastPass password manager. The Security expert at Google Project Zero Tavis Ormandy discovered several vulnerabilities in Chrome and Firefox extensions of the LastPass password manager that can be exploited to steal passwords. The expert also wrote PoC exploit for the flaw […]

Vulnerabilities in LastPass allowed attackers to steal passwords

The notorious Google Project Zero hacker Tavis Ormandy discovered numerous vulnerabilities in the Chrome and Firefox extensions of the LastPass password manager.

The Security expert at Google Project Zero Tavis Ormandy discovered several vulnerabilities in Chrome and Firefox extensions of the LastPass password manager that can be exploited to steal passwords.

The expert also wrote PoC exploit for the flaw and highlighted that only one of them appears to have been patched by LastPass.

Ormandy first discovered a flaw in the Firefox version of the LastPass extension (version 3.3.2), he avoided to publicly disclose the details for obvious reasons. According to the Google disclosure policy, LastPass has 90 days to solve the issue before Project Zero experts will disclose the details.

LastPass confirmed that the security team is already working to fix the bug.

Yesterday, Ormandy reported another flaw that affected both the Chrome and Firefox versions of LastPass. The researcher explained that the vulnerability allowed attackers to steal a user’s passwords and, if the binary component was enabled, execute arbitrary code via remote procedure call (RPC) commands.

In order to exploit the flaw, the attacker has to trick victims into visiting a specially crafted web page.

In this case, LastPass promptly issued a temporary fix and immediately after announced it has fully patched the vulnerability on the server side.

Ormandy publicly disclosed the details of the flaw including a proof-of-concept (PoC) code. The flaw existed due to the websiteConnector.js content script proxying unauthenticated messages to the extension. An attacker can exploit it to gain access to internal LastPass RPC commands.

“Therefore, this allows complete access to internal privileged LastPass RPC commands. There are hundreds of internal LastPass RPCs, but the obviously bad ones are things copying and filling in passwords (copypass, fillform, etc).” wrote the expert. “If you install the binary component (https://lastpass.com/support.php?cmd=showfaq&id=5576), you can also use “openattach” to run arbitrary code.”

Ormandy also spotted another vulnerability that can be exploited to steal passwords for any domain.

https://twitter.com/taviso/status/844312124541186048

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – LastPass, hacking)