LastPass Releases Update for Firefox Addon That Contained Vulnerability

LastPass has revealed that the vulnerability discovered earlier Wednesday is in the Firefox password manager add-on. An update has been made to fix the vulnerability and it will be sent to users.

In a blog, LastPass responds to the reporting about the leak that was discovered on Wednesday. According to the creators of the password manager, malicious parties could have exploited the vulnerability by luring users to a malicious website. Users of LastPass 4.0 in combination with Firefox would then be vulnerable. The discovered vulnerability does not apply to users with other browsers.

LastPass is in the process of releasing an update that will close the vulnerability to Firefox users. It is also possible to download the fix itself. In version 4.1.21a the leak has been fixed. Users can check which version they are running by clicking About LastPass in the Firefox addon in the More Options menu. The vulnerability was only in version 4.0, users of LastPass 3.0 do not need to take any action.

Google researcher Tavis Ormandy announced earlier on Wednesday that he had discovered a remotely usable leak in the password manager. According to Ormandy, it was a ‘complete remote compromise’, which probably made it possible to read passwords remotely. Ormandy immediately notified LastPass and the vulnerability that appears to be in the Firefox addon has now been patched.

On Wednesday, another story from Detectify Labs appeared in the media about a vulnerability in LastPass. This concerns another vulnerability, but LastPass now reports that this happened more than a year ago and that the leak was immediately closed at the time.