“We greatly appreciate the work of the security community to challenge our product and uncover areas that need improvement,” Joe Siegrist, cofounder and VP of LastPass, told The Register.
LASTPASS CHROME EXTENSION CODE
The password manager developer has experience with Ormandy after he found another flaw in its code last year that could compromise a punter’s passwords just by visiting the wrong website. This LastPass Hacked issue is a pretty major vulnerability for a company that is supposed to make your passwords MORE secure, not leak them to any malicious site that has also figured out the same stuff Tavis spotted.Īfter advocating password managers for a long time, this is not a good look. A victim must have the binary component of LastPass installed to be vulnerable to this attack. A malicious website could exploit this hole to drop malware on a visiting machine. The script can also be abused to execute commands on the victim’s computer – Ormandy demonstrated this by running calc.exe simply by opening a webpage. The weak LastPass script uncovered by Ormandy can be tricked into granting access to the manager’s internal mechanisms, which is rather bad news. However, due to the discovered vulnerabilities, simply browsing a malicious website is enough to hand over all your LastPass passphrases to strangers. It provides browser extensions that connect to your LastPass account and automatically fill out your saved login details when you surf to your favorite sites. LastPass works by storing your passwords in the cloud. He found that the LastPass Chrome extension has an exploitable content script that evil webpages can attack to extract usernames and passwords. The programming cockups were spotted by Tavis Ormandy, a white-hat hacker on Google’s crack Project Zero security team.
LASTPASS CHROME EXTENSION PATCH
Password vault LastPass is scrambling to patch critical security flaws that malicious websites can exploit to steal millions of victims’ passphrases.
![lastpass chrome extension lastpass chrome extension](https://news-cdn.softpedia.com/images/news2/fake-lastpass-chrome-extension-found-on-the-google-web-store-503508-3.png)
It’s a shame Passpack isn’t being updated actively as architecturally it seems like a much better product, the UI is shit though and it’s buggy for managing mass user accounts.