Bugs in LastPass Browser Extensions Allow Hackers to Grab Passwords

At the beginning of the month we saw cybersecurity experts everywhere up in arms regarding the Vault 7 leaks where everything from hacking tools by the CIA to their exploration of “meme magic” was dumped on WikiLeaks for the world to see.

Barely a few weeks have passed, and March continues to be an action-packed month as bugs in LastPass’ browser extensions would allow hackers to grab passwords from unsuspecting users.

The Bugs


A bug in LastPass’ Google Chrome extension was discovered by Tavis Ormandy, a member of Google’s Project Zero, on Monday. The first bug – which allows hackers to write in code while hijacking your computer’s communication with the server you are logging into and gain access to your passwords – can be found in this report that also contains his proof-of-concept code in case you’re interested.

The other bug found by Ormandy was in LastPass’ Firefox extension version 3.3.2 (older, but still very popular). It allows hackers to execute a universal cross-site script to reveal a user’s password through alerts.

On Tuesday LastPass made the internal service domain responsible for transferring authentication information appear non-existent (e.g. NXDOMAIN-ing) while they investigated the problem, then posted an announcement on Wednesday saying that they fixed the issues in the Chrome extension.

As far as the Firefox extension was concerned, they left it as is since the 3.x version branch will be retired in April anyway. To be clear, this is not an accusation. They have stated it openly in their announcement: “This bug was reported to our team last year and fixed at that time. However, the fix was not pushed down to our legacy Firefox 3.3.x branch; this branch has been scheduled for formal retirement in April.

What You Should Do

If you use LastPass’ services, I strongly suggest making sure that your browser extensions are as up to date as possible. Other than that, there is no immediate threat to be alarmed about. In general, you should do this with all of your extensions. By default, both Chrome and Firefox will perform these updates for you, so if you have opted out, maybe now is a good time to give that a second thought.

There’s a Bigger Concern, Though…


Saying this will certainly not win anyone points in today’s tech industry climate, but it has to be said: convenience and security are usually a dichotomy. One of our most avid commenters made a similar statement earlier when we reported on the CIA’s Vault 7 leaks.

As we get more intimate (e.g. sharing our passwords, our personal information, etc.) with the technology we use, we are effectively giving hackers one more way to compromise us. Breaches happen because we openly trust technologies before we even ask ourselves whether they are able to protect us from harm.

LastPass is a service that does everything it can to make sure that its users can trust it with their passwords – the very keys to their online existence. But with all due respect to them, we have to ask ourselves: what if one day we’re not lucky enough for a bug to be patched before it is exploited? What if an unanticipated problem in the application code allows a hacker to slip in and see all of your information out in the open?

Intrusions to LastPass have happened before, the most recent one being in 2015. After that, on July 2016, a more benevolent hacker decided to reveal a bug that could be exploited to the public.

The idea here is that you should never be complacent. Sure, a lot of these exploits are admittedly a bit more hyped than they should be. But you should be aware of the fact that you’re walking into dangerous territory every time you give something personal to a service. Sometimes the benefit outweighs the risk, but only you can make that determination once you’re fully informed of what you’re signing up for.

Do you use a password manager? How do you feel about the possibility of the service you’re using experiencing a breach? Tell us in a comment!

Miguel Leiva-Gomez Miguel Leiva-Gomez

Miguel has been a business growth and technology expert for more than a decade and has written software for even longer. From his little castle in Romania, he presents cold and analytical perspectives to things that affect the tech world.


  1. I’m safer with a password manager (Lastpass in my case) than I am without one. Sure I could avoid the occasional bug but how vulnerable would my passwords be if I had to keep track of them manually and try to create new secure ones when needed? You pays your money and you makes your choice.

    I also use 2FA…

  2. “Sometimes the benefit outweighs the risk”
    What ARE those benefits?! Other than the convenience of being able to share your data with multiple devices and friends (and hackers)? It has been proven time and time again that cloud servers can and will be compromised. If cloud storage is such a great idea, why doesn’t the government (NSA, FBI, DOD, etc) use cloud services (DropBox, GoogleDrive, OneDrive, etc) to store their data?

    1. I’ll answer your question…

      You sound like the type of guy that uses 1, 2 or maybe 3 different passwords for everything. That’s scary! The nice thing about LastPass is that yes the data is stored on their servers, or should I say “their cloud” which is N/A here, but it’s already encrypted client side.

      The government doesn’t use third party servers because they buy and build their own infrastructure. Same reason why almost every company in the first world does the same. I’d believe they’d like to keep their information to themselves and when it come to my health care or financial information, I’d like it that way.

      Besides, this article was about specific browser addons not about how or where the information was being stored. If you feel that the risk out weights the reward then don’t use one.

      1. “That’s scary!”
        What is scary is that a company that has undertaken to keep our passwords safe, cannot. BTW – I use a password manager that uses local storage.

        “it’s already encrypted client side.”
        Obviously not well enough if they had to breaches in 2 years.

        “they’d (government and private companies) like to keep their information to themselves”
        So would I. That’s why I store my information locally.

        “this article was about specific browser addons not about how or where the information was being stored”
        If the passwords were stored locally, there would be no need for these browser addons which have security holes, and there would be no need for this article.

        “I’ll answer your question…”
        Promises, promises. :-)
        You didn’t mention even one benefit of cloud storage of passwords (or data).

    2. Dragonmouth, in response to your original comment: When I wrote that sometimes the benefits outweigh the risk, I was referring to subjective cost-benefit analyses on an individual basis.

      Someone who doesn’t value their identity store so much wouldn’t necessarily rethink the use of a server-side password manager with centralized encryption after reading this piece. The point of this piece was to inform, and some people who are now (hopefully) a little more informed of how leaky these things can be might still decide to continue using them. But at least that decision is now in the context of understanding fully what the risks are.

      Now, this phrase is also a subtle “apropo” to the idea of server-side password managers that give you total control of the encryption process (i.e. allowing you to have your own key, and not storing it server-side, kind of like how PerfectCloud does). This is almost exactly like having locally-stored passwords under lock and key, and even if PerfectCloud was breached, the data within their database would be completely useless to a hacker since it would take millions of dollars of hardware and decades of man-hours to get through “solving” a portion of it without the keys.

Comments are closed.