Your new post is loading...
LastPass has closed a remote code execution vulnerability on its Chrome extension, but according to Google Project Zero researcher Tavis Ormandy, issues remain on its Firefox extension, as well as details on another password-stealing vulnerability to come.
Writing in the Project Zero issue tracker, Ormandy said it was possible to proxy untrusted messages to LastPass.
"This allows complete access to internal privileged LastPass RPC commands," the researcher said. "There are hundreds of internal LastPass RPCs, but the obviously bad ones are things copying and filling in passwords (copypass, fillform, etc)."
MORE SECURITY NEWS
Secret Service laptop with Trump Tower plans stolen from car
Feature or flaw? How to hijack a Windows account in less than a minute
Internet of Things security: What happens when every device is smart and you don't even know it?
Microsoft Edge used to escape VMware Workstation at Pwn2Own 2017
Additionally, if a user has the LastPass binary component installed, the system was vulnerable to remote code execution.
