LastPass, a popular cross-platform password with more than 8 million users, has warned of a "unique and highly sophisticated" problem within its system and is advising users to launch sites directly from the LastPass vault instead of the browser extension.
The problem was discovered by Tavis Ormandy of Google’s Zero Day Project who is working with the company on a fix. The same researched had previously found another vulnerability that could have allowed attacked to stream users' passwords by accessing privileged LastPass system commands — the company said it had not seen any evidence of the issue being used by hackers.
Ah-ha, I had an epiphany in the shower this morning and realized how to get codeexec in LastPass 4.1.43. Full report and exploit on the way. pic.twitter.com/vQn20D9VCy— Tavis Ormandy (@taviso) March 25, 2017
According to Ormandy, the new flaw affects the latest version of the LastPass browser extension for all major browsers on Windows and Linux; macOS was not tested at the time of the announcement but he believes the exploit likely works there too. Neither Ormandy nor LastPass are sharing much information just yet: “This attack is unique and highly sophisticated. We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post mortem once this work is complete.”
Ormandy did say that it is “a major architectural problem” that could take a while to fix. Google’s Project Zero has a strict 90-day disclosure policy for making a vulnerability public.
Aside from avoiding the LastPass browser extension in favor of the LastPass vault, users are advised to enable two-factor authentication on sites that offer it, and remain vigilant of phishing attempts.