LastPass hit by password stealing and code execution vulnerabilities

Google cyber-sleuth Tavis Ormandy has returned to examining LastPass, and a new lot of vulnerabilities have been discovered.
Written by Chris Duckett, Contributor

LastPass has closed a remote code execution vulnerability on its Chrome extension, but according to Google Project Zero researcher Tavis Ormandy, issues remain on its Firefox extension, as well as details on another password-stealing vulnerability to come.

Writing in the Project Zero issue tracker, Ormandy said it was possible to proxy untrusted messages to LastPass.

"This allows complete access to internal privileged LastPass RPC commands," the researcher said. "There are hundreds of internal LastPass RPCs, but the obviously bad ones are things copying and filling in passwords (copypass, fillform, etc)."

Additionally, if a user has the LastPass binary component installed, the system was vulnerable to remote code execution.

LastPass worked around the issue by returning a DNS error on the affected domain. The company said on Twitter it would be providing further details on the issue in a future blog post.

"Hopefully they have taken down the service and not just removed the DNS entry, or a mitm [man in the middle] can still insert correct DNS responses," Ormandy wrote.

"(Please note, issue 1188 which affects LastPass on firefox is not fixed, and still works)."

In an eyebrow-raising declaration, according to Ormandy, LastPass had said they couldn't get his code execution exploit to work, however the security researcher was calling the Windows Calculator executable in his code, while LastPass was examining the code on a Mac.

"Naturally, calc.exe will not appear on a Mac," he said.

Hours later, Ormandy said he had found yet another vulnerability in the password management software.

"I found another bug in LastPass 4.1.35 (unpatched), allows stealing passwords for any domain," he said on Twitter. "Full report will be on the way shortly."

LastPass has fallen under Ormandy's gaze in the past, with the researcher previously finding bugs that allowed for a remote compromise of LastPass accounts.

"Are people really using this lastpass thing?" Ormandy said in July 2016.

Ormandy has recently been looking at web browser extensions, and earlier this year found a remote code execution bug in the Cisco WebEx Chrome extension, as well an auto-installed Adobe Acrobat Chrome extension that left its users vulnerable to cross-site scripting attacks.

LastPass was purchased by LogMeIn for $110 million in October 2015.

Editorial standards