There's even less info available about the latest vulnerability identified ( updated - see below.) I deleted a widely shared tweet id written "unpatched" in, because its now patched was confusing w/o context. I found another bug in LastPass 4.1.35 (unpatched), allows stealing passwords for any domain.
#FIREFOX LASTPASS PLUGIN NOT WORKING CODE#
The second issue could be more serious, with the ability to steal a user's passwords or, if the binary version of the extension is installed, run any code the attacker tells it to ( in an example, Ormandy causes the target's computer to open a Calculator program.) According to LastPass the issue has been resolved, although a promised follow-up blog post with more details has yet to appear. Our security is investigating and working on issuing a fix. We are aware of reports of a Firefox add-on vulnerability. We will provide additional details on our blog soon. The issue reported by Tavis Ormandy has been resolved. Based on his tweet, it could reveal a user's password, but not all of the details have been revealed yet. The first vulnerability has apparently not been addressed yet, which Ormandy mentions may be the result of Mozilla needing time to review the updated extension before pushing it to users.
Last week Ormandy mentioned finding an exploit in one version of its extension for Firefox, before following that up with a new bug that affected both Chrome and Firefox, and finally a third vulnerability that could allow "stealing passwords for any domain." Last year Google Project Zero researcher Tavis Ormandy quickly found some " obvious" security problems in the popular password manager LastPass, and now he's done it again.
0 kommentar(er)
