Google Researcher Finds Remote Vulnerability in LastPass – Update

Google security researcher Tavis Ormandy claims to have found a remotely usable vulnerability in the popular password manager LastPass. According to him, it is a ‘complete remote compromise’.

No further details about the vulnerability are known yet, the researcher has only revealed via Twitter so far know that he sent a report of his findings to LastPass. It seems that he found the leak in a short time, because five hours after the announcement that he is going to look for vulnerabilities in the software sent out the tweet in question.

It appears that this is a serious vulnerability, which probably allows remote reading of passwords. The researcher also promises to look into the 1Password alternative and examine the software for vulnerabilities. Ormandy regularly finds leaks in various products, including those from AVG, Trend Micro and Comodo. It is expected that LastPass will release a patch and accompanying explanation soon.

Update, 12.30 pm: As tweaker MarkH NL points out, another researcher also published a vulnerability in LastPass on Wednesday. However, this has now been resolved by the LastPass team within a day, he writes in a blog post. It therefore does not seem to be the same vulnerability. The leak was related to LastPass’ AutoFill feature, which mishandled URLs. This allowed the researcher to get the LastPass extension to show passwords for a URL when he was actually on a different domain.

Update, 8.35 pm: LastPass has released a fix for the vulnerability. The vulnerability was in the Firefox add-on of version 4.0 of the password manager. Users of version 3.0 or other browsers are not affected.