Noticing a pattern? In fact there are two: LastPass suffers occasional software vulnerabilities, including the odd very serious one – nothing unusual in that perhaps – but then immediately sets to work fixing them. Upon notification of the vulnerability, the LastPass team immediately shut down the vulnerable service, and began work to update all affected clients. LastPass discovered that issue on March 20, and, from what we can tell, cancelled all vacation: Given that LastPass is a password manager that usually stores dozens to hundreds of passwords and user names, this is like making off with the crown jewels using only two lines of JavaScript. The flaw can even be used to execute commands on the computer, which Ormandy demonstrated using a disturbing calc.exe proof-of-concept. Only days ago, Ormandy returned, reporting three issues across the Firefox, Chrome and Edge browser extensions, including a fairly serious “website connector” one that could have allowed attackers to pass internal commands (the things that do LastPass’s password and form-filling heavy lifting) after luring users to a malicious website.ĭoing so would allow the attacker to potentially retrieve and expose information from the LastPass account, such as user’s login credentials. LastPass responded quickly with a tweak, grizzled a bit about the way Chrome limits notifications to the browser windows, but explained its side of the issue in some depth.
In January came researcher Sean Cassidy’s “LostPass” flaw, really more of a design issue turned into a clever proof-of-concept phishing attack, complete with partial bypass for two-step verification (ie LastPass used without a hard token such as the YubiKey). In both cases, LastPass appears to have sprung into action well in advance of their public notification. Last year, the platform was hit by two flaws, one discovered by Matthias Karlsson of Dectify, the other by Google Project Zero Flawhunter General, Tavis Ormandy. When vulnerabilities turn up in password-managing Leviathan LastPass, they have a habit of arriving in small but important flurries.
0 kommentar(er)
