Alerted by security researchers, LastPass, the safe dedicated to passwords, has urgently filled a vulnerability that affects its extensions for Firefox and Chrome.
Even the LastPass password manager can be spoofed. A Google security researcher has found a way to hijack the software remotely by exploiting a Firefox add-on. A fix is available since yesterday. For the hack to work, the user must first be directed to a malicious site that exploits the flaw in a LastPass add-on for the Firefox browser, and allows the hacker to take control of the management software. of passwords. Yesterday, LastPass said a fix was already available for Firefox users.
It was Google security researcher Tavis Ormandy who discovered the problem. On Tuesday, after analyzing the password manager, it sent the following tweet: “People really use this LastPass? I looked at the manager closely and could find a bunch of obvious critical issues. I will send a report to the editor as soon as possible”. Every vulnerability in LastPass poses a great risk to the user. The popular software is supposed to securely store all passwords set by users to access different sites and automatically fill in identification fields when needed.
Another flaw in the extension for Chrome
Tavis Ormandy isn’t the only security researcher to take an interest in the password manager. On Wednesday, Mathias Karlsson of Detectify Labs said he had also managed to hack LastPass. As he writes in a blog, he managed to steal users’ passwords by exploiting a bug in the password manager extension, this time for the Chrome browser. Typically, the LastPass browser extension is used to automatically fill in the password for certain websites where users have an account. However, Mathias Karlsson noticed that every time he visited a site, the extension added a bit of HTML code. This code is used to analyze the site address to identify the domain, and enter the password in the required field.
The problem is that this HTML code can be spoofed. The extension delivers the user’s password, even when the user does not visit the appropriate website. The Detectify Labs security researcher exploited the bug, and he created a fake URL to trick the LastPass browser extension into thinking he was visiting Twitter’s site. And, as expected, the extension delivered the password to the fake Twitter site. A hacker could take advantage of this flaw, building a malicious website and tricking LastPass users into visiting it. The site could then discreetly collect the passwords.
Watch out for phishing waves
Mathias Karlsson reported the bug over a year ago, and the problem has since been fixed, according to LastPass. The publisher also points out that to exploit these two vulnerabilities, the hacker must manage to direct the user to a malicious site. The company advises users to beware of phishing campaigns and links that redirect to disreputable sites.