Skip to main content
Customer Support Customer Support

LastPass zero-day can lead to account compromise

  • July 27, 2016
  • 8 replies
  • 1 view
Jasper_The_Rasper
Moderator
Forum|alt.badge.img+54
Zeljka Zorz - July 27, 2016
 
A zero-day flaw in the popular password manager LastPass can be triggered by users visiting a malicious site, allowing attackers to compromise the users’s account and all the sensitive information in it.
 
                         


 
The discovery was made by Google Project Zero researcher Tavis Ormandy who, after probing a slew of AV solutions and finding serious security holes in them, has apparently set his sights on widely used password management solutions.
 
Aside from that flaw, he also found “a bunch of obvious critical problems,” but responsibly chose not share publicly any more details about any of the flaws until the developers have a chance to fix them.
 
Full Article
    ProTruckDriver
    RetiredTripleHelix
    Baldrick

    8 replies

    R
    Community Guide
    Lets hope LastPass corrrects these security holes quickly, as this is a popular application.
    ProTruckDriver
    RetiredTripleHelix
    Baldrick
    Baldrick
    Gold VIP
    • Baldrick
    • Gold VIP
    • July 27, 2016
    Oh, not good...and let us hope that the 'item' discovered is not in some old code that is also in the Webroot Password Manager. I am wondering if anyone in Support has checked on that...but of course they have, haven't they? :S
    Webroot SecureAnywhere Complete Beta Tester v9.0.24.49, imaged by Macrium Reflect v7.2
    ProTruckDriver
    RetiredTripleHelix
    Jasper_The_Rasper
    nic
    Forum|alt.badge.img+56
    • nic
    • Retired Webrooter
    • July 27, 2016
    Checking now to see what info we have on it internally.
    ProTruckDriver
    RetiredTripleHelix
    Baldrick
    Baldrick
    Gold VIP
    • Baldrick
    • Gold VIP
    • July 27, 2016
    Cheers, Nic...nice one. ;)
    Webroot SecureAnywhere Complete Beta Tester v9.0.24.49, imaged by Macrium Reflect v7.2
    RetiredTripleHelix
    Jasper_The_Rasper
    nic
    Forum|alt.badge.img+56
    • nic
    • Retired Webrooter
    • July 27, 2016
    I heard back from our folks that our version of the browser extension is not affected by this vulnerability, so we're good to go.
    ProTruckDriver
    RetiredTripleHelix
    Baldrick
    Baldrick
    Gold VIP
    • Baldrick
    • Gold VIP
    • July 27, 2016
    Most excellent!
    Webroot SecureAnywhere Complete Beta Tester v9.0.24.49, imaged by Macrium Reflect v7.2
    ProTruckDriver
    RetiredTripleHelix
    Jasper_The_Rasper
    Jasper_The_Rasper
    Moderator
    Forum|alt.badge.img+54
    That is great news Nic, thank you for the update.
    ProTruckDriver
    RetiredTripleHelix
    Baldrick
    Jasper_The_Rasper
    Moderator
    Forum|alt.badge.img+54
    LastPass has patched the security flaw, thank you Nic for the heads up ;)
     
    "Security is fundamental to what we do here at LastPass. Our first priority is always responding to and fixing reports as quickly as possible.
    In follow-up to recent news, we want to address in more detail two security reports that have been disclosed to our team. One report was disclosed yesterday, while the other report was responsibly reported and fixed over a year ago. Notably, both exploits do require tricking a user via a phishing attack into going to a malicious website."
     
    Full Report.
     
    ProTruckDriver
    RetiredTripleHelix
    Baldrick
    Terms & ConditionsAccessibility statement