ICT Security-Sécurité PC et Internet

Password manager LastPass has released an update last week to fix a security bug that exposes credentials entered on a previously visited site.

FIX AVAILABLE
LastPass, believed to be the most popular password manager app today, fixed the reported issue in version 4.33.0, released last week, on September 12.

If users have not enabled an auto-update mechanism for their LastPass browser extensions or mobile apps, they're advised to perform a manual update as soon as possible.

This is because yesterday, Ormandy published details about the security flaw he found. The security researcher's bug report walks an attacker through the steps necessary to reproduce the bug.

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Password+Managers

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Passwords

LastPass has closed a remote code execution vulnerability on its Chrome extension, but according to Google Project Zero researcher Tavis Ormandy, issues remain on its Firefox extension, as well as details on another password-stealing vulnerability to come.

Writing in the Project Zero issue tracker, Ormandy said it was possible to proxy untrusted messages to LastPass.

"This allows complete access to internal privileged LastPass RPC commands," the researcher said. "There are hundreds of internal LastPass RPCs, but the obviously bad ones are things copying and filling in passwords (copypass, fillform, etc)."

MORE SECURITY NEWS

Secret Service laptop with Trump Tower plans stolen from car
Feature or flaw? How to hijack a Windows account in less than a minute
Internet of Things security: What happens when every device is smart and you don't even know it?
Microsoft Edge used to escape VMware Workstation at Pwn2Own 2017
Additionally, if a user has the LastPass binary component installed, the system was vulnerable to remote code execution.