The vulnerabilities revolved around a JavaScript file hosted by LastPass which effectively listened for messages from anywhere and passed them directly to the user’s LastPass browser extension. LastPass followed the mitigation up with updates to their browser extensions, permanently resolving both the main vulnerability, and a second one still present in the Firefox extension after the server-side mitigation steps taken earlier. An attacker could exploit this flaw to fetch saved passwords or in some cases, run arbitrary code on the victim’s system.Īccording to the timeline in Ormandy’s report for the main vulnerability, within a few hours of being notified about the security flaw, LastPass deployed server-side mitigation to prevent exploitation. The vulnerabilities, originally reported by Google security researcher Travis Ormandy, could have allowed an attacker to send arbitrary commands to a victim’s LastPass browser extension. Password manager LastPass announced this morning that it had resolved two vulnerabilities in its Chrome and Firefox browser extensions.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |