Password vault LastPass has patched critical security flaws that malicious websites could exploit to steal millions of victims' passphrases.
The programming cockup was spotted by Tavis Ormandy, a white-hat hacker on Google's crack Project Zero security team. He found that the LastPass Chrome extension had an exploitable content script that evil webpages could attack to extract passwords from the manager.
LastPass works by storing your passwords in the cloud. It provides browser extensions that connect to your LastPass account and automatically fill out your saved login details when you surf to your favorite sites.
However, due to the discovered vulnerabilities, simply browsing a malicious website would be enough to hand over all your LastPass passphrases to strangers. The weak LastPass script uncovered by Ormandy could be exploited by tricking it into granting access to the manager's internal data. It can also be potentially abused to execute commands on the victim's computer – Ormandy demonstrated this by running calc.exe simply by opening a webpage.
"This script will proxy unauthenticated window messages to the extension. This is clearly a mistake," Ormandy explained in a bug report today.
"This allows complete access to internal privileged LastPass RPC [remote procedure call] commands. There are hundreds of internal LastPass RPCs, but the obviously bad ones are things copying and filling in passwords (copypass, fillform, etc)."