LastPass hack used Plex vulnerability that was patched three years ago
Last November’s LastPass hack exploited a vulnerability in Plex that was already patched in May 2020, PCMag discovered. The hack could have been prevented if the employee on whose home computer the malware was installed had updated the software.
It’s about the CVE-2020-5741vulnerability in the software Plex Media Server, writes PCMag. The Camera Upload feature allowed attackers to force the server to execute malicious code. To do this, the attackers must already have administrative access to the LastPass employee’s Plex account. It is not known how they succeeded. After the LastPass devops programmer installed the malware, the hackers were able to record the victim’s keystrokes and learn the master password. The LastPass employee subsequently also approved the multi-factor authentication request.
In a response, Plex tells PCMag that a patch for the vulnerability was released in May 2020, but that the employee in question never upgraded the software. Since then, 75 new software versions of Plex have been released. It’s unclear why the programmer hasn’t updated the software in all this time, especially since many of the updates are supposed to happen automatically.
Through this senior devops programmer, the attackers gained access to LastPass’s cloud backups last year, which contained customer data such as mfa seeds and identifiable info, LastPass announced last week. Also, five blobs were downloaded from backups of customers who had accounts between August 20 and September 8. Those blobs also contained encrypted fields for passwords and unencrypted fields for URL names, for example.