LastPass, a cloud-based password manager, is rushing to fix a number of security bugs in its browser extensions that – if exploited – could put user credentials at risk. The flaws, described as 'critical', were uncovered by Tavis Ormandy, a Google Project Zero researcher.
This week (21 March), the vulnerability hunter explained in a report how browsing a malicious website could be enough to infect the LastPass Chrome browser extension. If abused, the bugs could give hackers complete access to some internal commands, he explained.
Ormandy said that for the exploit to be successful the victim must have the binary component of LastPass installed. In a demonstration – using calc.exe – the researcher showed how a broken script could be used to launch commands on a victim's computer.
"It's possible to proxy untrusted messages to LastPass 4.1.42 due to a bug, allowing websites to access internal privileged RPCs (Remote Procedure Calls)," he wrote.
"There are a lot of RPCs, allowing complete control of the LastPass extension, including stealing passwords."
On 21 March LastPass responded to say it was "aware of the report" and that its security team had put a workaround in place while a further investigation proceeds.
Later, it added: "The issue reported [...] has been resolved. No user action is needed at this time."
However, another bug impacting Mozilla Firefox (3.3.2) – initially reported on 15 March – remains without a fix, both Ormandy and LastPass confirmed. "We are aware of reports of a Firefox add-on vulnerability. Our security is investigating and working on issuing a fix," LastPass tweeted.
In a statement to The Register, Joe Siegrist, cofounder LastPass, said Ormandy's work was "greatly appreciated". He added: "Our team [...] worked quickly to issue the fix. As always, we recommend that users keep their software updated to the latest versions."
But the headache for the password manager, which uses extensions to auto-fill credentials straight into browsers, looks set to continue. Ormandy, after LastPass responded, tweeted: "I found another bug in LastPass 4.1.35 (unpatched), allows stealing passwords for any domain."
This is not the first time LastPass has been impacted by bugs in its platform. In July last year, Ormandy found a previously unknown vulnerability that could potentially give hackers and cybercriminals the ability to remotely access user accounts.
In 2015, the password manager was targeted by hackers who successfully hijacked sensitive user data including email addresses, password reminders and authentication hashes. In a statement at the time, LastPass stressed no "master passwords" were compromised.
Nevertheless, LastPass users responded on Twitter with frustration to the news of the latest flaw. "You've had a few of these lately, what's the plan going forward? We're trusting you with our passwords, this is no joke," one commenter said.
However, some in the security community stress that bugs of this nature should not put consumers off using password managers. Malware expert Jake Williams said: "Your odds of being pwned by a LastPass issue are far lower than if your password is disclosed from one site and reused on another."
Ormandy, well-known in security circles for his bug reporting, has previously uncovered flaws in a slew of popular anti-virus vendors including Symantec, Sophos, Trend Micro and Kaspersky Lab.
LastPass has released a statement responding to the incident:
On March 20th, we received a report of an issue in our Chrome 220.127.116.11 extension. We immediately investigated and released a server-side workaround within a few hours. The exploit applied to all LastPass clients – Chrome, Firefox, Edge – in which an experimental user onboarding feature was released.
Later, on March 21st, another report came in related to Firefox 4.1.35a. In fact, this vulnerability is largely the same as the one reported the prior day, and affecting the 4.x Firefox addon. While this issue would have been addressed by our full fix to follow our workaround, this report was received before this could be released. We issued an update to specifically address that report.
The fixes are being pushed to all users and most should be updated automatically.
We have no indication that any of the reported vulnerabilities were exploited in the wild, but we're doing a thorough review at this time to confirm. We will soon provide a more comprehensive summary of the events and what our community needs to know. No password changes are required of users at this time.