Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Last Pass bugs found to leak passwords.


  • Please log in to reply
No replies to this topic

#1 JohnC_21

JohnC_21

  • Members
  • 24,005 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:04:12 PM

Posted 21 March 2017 - 04:35 PM

Password vault LastPass has patched critical security flaws that malicious websites could exploit to steal millions of victims' passphrases.

The programming cockup was spotted by Tavis Ormandy, a white-hat hacker on Google's crack Project Zero security team. He found that the LastPass Chrome extension had an exploitable content script that evil webpages could attack to extract passwords from the manager.

LastPass works by storing your passwords in the cloud. It provides browser extensions that connect to your LastPass account and automatically fill out your saved login details when you surf to your favorite sites.

However, due to the discovered vulnerabilities, simply browsing a malicious website would be enough to hand over all your LastPass passphrases to strangers. The weak LastPass script uncovered by Ormandy could be exploited by tricking it into granting access to the manager's internal data. It can also be potentially abused to execute commands on the victim's computer – Ormandy demonstrated this by running calc.exe simply by opening a webpage.

"This script will proxy unauthenticated window messages to the extension. This is clearly a mistake," Ormandy explained in a bug report today.

"This allows complete access to internal privileged LastPass RPC [remote procedure call] commands. There are hundreds of internal LastPass RPCs, but the obviously bad ones are things copying and filling in passwords (copypass, fillform, etc)."

Article

 



BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users