LastPass Security Flaw Could Have Let Hackers Steal Passwords Through Browser Extensions

A LastPass security vulnerability could have allowed malicious attackers to steal users’ passwords, a researcher revealed this week.

On Monday, Google researcher Tavis Ormandy reported the vulnerability in the popular password management tool. In an outline of the problem, Ormandy explains that a coding flaw allowed anyone to “proxy” unauthenticated messages to a LastPass browser extension. By exploiting the problem, a hacker could obtain access to privileged LastPass commands — including “the obviously bad ones,” such as “copying and filling in passwords (copypass, fillform, etc).”

LastPass, in a short blog post released today, explained that the issue was related to an experimental feature on all LastPass browser clients. (Ormandy reported multiple vulnerabilities, although the company said they are “largely the same.”) The company issued a fix before the vulnerability was publicly revealed, and says updates for users should be applied automatically. LastPass is not currently asking users to update any passwords.

“We have no indication that any of the reported vulnerabilities were exploited in the wild, but we’re doing a thorough review at this time to confirm,” the company said in the blog post. “We will soon provide a more comprehensive summary of the events and what our community needs to know.”

This isn’t the first time Ormandy has reported an issue in LastPass. Last year, the researcher sent a report on “a complete remote compromise” to the company. On Twitter, this time he credited LastPass with a swift response. “Very impressed with how fast @LastPass responds to vulnerability reports,” he wrote. “If only all vendors were this responsive.”