Beware of using the Last Pass: Tavis Ormandy, one of the most prolific members of Google's Project Zero Team, revealed a new security issue at LastPass.
Ormandy said there was a exploit but has not made it public at the moment. Let's remind that Google Project Zero researchers report the vulnerabilities first to the directly interested companies developing the affected products. Companies have 90 days to insure their product, usually by developing a new version, otherwise researchers are releasing the exploit.
The information is very small until now, as Ormandy has made available through Twitter:
Oops, a new bug in Last Pass that affects version 4.1.42 (Chrome & FF). RCE if you use the "Binary Component", otherwise they may steal passwords. I am preparing a full report.
Oops, new LastPass bug that affects 4.1.42 (Chrome & FF). RCE if you use the "Binary Component", otherwise can steal pwds. Full report on way. pic.twitter.com/y92vm3Ibxd
- Tavis Ormandy (@taviso) March 20, 2017
Reports last version of LastPass for Google Chrome and Firefox (4.1.42 version), and that exploit can be used for remote code execution or password theft.
It later revealed that it has a fully functional exploit that does not display messages on Windows, και είναι μόλις δύο γραμμές κώδικα. Επίσης, σημείωσε ότι το exploit θα μπορούσε να λειτουργήσει και σε άλλες πλατφόρμες.
Wrote and quick exploit for another LastPass vulnerability. Only affects version on https://t.co/lGcefN9YXM (3.3.2), report on way. ¯_ (ツ) _ / ¯ pic.twitter.com/AgjASiQMfJ
- Tavis Ormandy (@taviso) March 16, 2017
LastPass also published one message on Twitter stating that it is aware of the issue, and that it is working to find a solution.
We are aware of the report by @taviso and our team has put a workaround in place while we work on a resolution. Stay tuned for updates.
- LastPass (@LastPass) March 21, 2017
Shortly after, the company published a second message stating that the issue was resolved.
The issue mentioned by Tavis Ormandy has been resolved. We will provide additional clarifications to our blog soon.
According to the tweet, if you use the Last Pass application, you do not have to do anything except waiting for the announcement of the solution that corrects vulnerability from the company.