Bugs in LastPass Browser Extensions Allow Hackers to Grab Passwords

At the beginning of the month we saw cybersecurity experts everywhere up in arms regarding the Vault 7 leaks where everything from hacking tools by the CIA to their exploration of “meme magic” was dumped on WikiLeaks for the world to see.

Barely a few weeks have passed, and March continues to be an action-packed month as bugs in LastPass’ browser extensions would allow hackers to grab passwords from unsuspecting users.

lastpasshack-bugs

A bug in LastPass’ Google Chrome extension was discovered by Tavis Ormandy, a member of Google’s Project Zero, on Monday. The first bug – which allows hackers to write in code while hijacking your computer’s communication with the server you are logging into and gain access to your passwords – can be found in this report that also contains his proof-of-concept code in case you’re interested.

The other bug found by Ormandy was in LastPass’ Firefox extension version 3.3.2 (older, but still very popular). It allows hackers to execute a universal cross-site script to reveal a user’s password through alerts.

On Tuesday LastPass made the internal service domain responsible for transferring authentication information appear non-existent (e.g. NXDOMAIN-ing) while they investigated the problem, then posted an announcement on Wednesday saying that they fixed the issues in the Chrome extension.

As far as the Firefox extension was concerned, they left it as is since the 3.x version branch will be retired in April anyway. To be clear, this is not an accusation. They have stated it openly in their announcement: “This bug was reported to our team last year and fixed at that time. However, the fix was not pushed down to our legacy Firefox 3.3.x branch; this branch has been scheduled for formal retirement in April.

If you use LastPass’ services, I strongly suggest making sure that your browser extensions are as up to date as possible. Other than that, there is no immediate threat to be alarmed about. In general, you should do this with all of your extensions. By default, both Chrome and Firefox will perform these updates for you, so if you have opted out, maybe now is a good time to give that a second thought.

lastpasshack-smartphone

Saying this will certainly not win anyone points in today’s tech industry climate, but it has to be said: convenience and security are usually a dichotomy. One of our most avid commenters made a similar statement earlier when we reported on the CIA’s Vault 7 leaks.

As we get more intimate (e.g. sharing our passwords, our personal information, etc.) with the technology we use, we are effectively giving hackers one more way to compromise us. Breaches happen because we openly trust technologies before we even ask ourselves whether they are able to protect us from harm.

LastPass is a service that does everything it can to make sure that its users can trust it with their passwords – the very keys to their online existence. But with all due respect to them, we have to ask ourselves: what if one day we’re not lucky enough for a bug to be patched before it is exploited? What if an unanticipated problem in the application code allows a hacker to slip in and see all of your information out in the open?

Intrusions to LastPass have happened before, the most recent one being in 2015. After that, on July 2016, a more benevolent hacker decided to reveal a bug that could be exploited to the public.

The idea here is that you should never be complacent. Sure, a lot of these exploits are admittedly a bit more hyped than they should be. But you should be aware of the fact that you’re walking into dangerous territory every time you give something personal to a service. Sometimes the benefit outweighs the risk, but only you can make that determination once you’re fully informed of what you’re signing up for.

Do you use a password manager? How do you feel about the possibility of the service you’re using experiencing a breach? Tell us in a comment!

Leave a Reply

Yeah! You've decided to leave a comment. That's fantastic! Check out our comment policy here. Let's have a personal and meaningful conversation.