This vulnerability did not affect LastPass' iOS and Android apps.
Update Ma(5:00pm): Our team is currently investigating a new report by Tavis Ormandy and will update our community when we have more details.
In response to this, the password manager-maker amended its original article detailing March 20's vulnerability by stating:
In the post, LastPass also laid down some best practices for users, including using the LastPass Vault as a launch pad, enabling two-factor authentication on any service that offers it, and to be wary of phishing attacks.Ah-ha, I had an epiphany in the shower this morning and realized how to get codeexec in LastPass 4.1.43. Since the vulnerability has not been fixed, only few details have been made public by Ormandy and LastPass. The developers of the password manager are aware of the flaw and are working on a patch. "In the meantime, we want to thank people like Tavis who help us raise the bar for online security with LastPass, and work with our teams to continue to make LastPass the most secure password manager on the market," LastPass wrote in its blog post on Monday. Google Project Zero researcher Tavis Ormandy has identified yet another serious vulnerability in the LastPass browser extension.
The bug as it was originally found was discovered by Tavis Ormandy, a. So you can expect a more detailed post mortem once this work is complete." Renowned Password Manager a LastPass bug has just been fixed as it is rather sensitive and costly vulnerability that would have enabled a noxious site to acquire a user’s previous password entered by the service’s browser extension. "We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. LastPass is a password manager and form filler which locally encrypts your sensitive data with a key that is not sent to LastPass. In a blog post on Monday, LastPass said it is "actively addressing the vulnerability", and that the attack demonstrated by Ormandy was "unique and highly sophisticated." It didn't reveal any further details. Ormandy on Sunday shared details with LastPass, which on the same day said it was aware of the issue and asked users to stay tuned for more details.
Once again reported by Ormandy, the client-side vulnerability allows for remote code execution (RCE) in the LastPass v4.1.43 extension for Chrome. Now however, a new vulnerability has come to light, and the password management service says it is working to fix it. LastPass is a widely used password management service, and just last week, a Google Project Zero researcher named Tavis Ormandy had pointed out several vulnerabilities in the service that were patched up shortly after. LastPass (LastPass) DecemOne theory on the forum suggests that someone is exploiting a LastPass browser extension vulnerability through an exceptionally well-crafted phishing site. Internet vulnerabilities are becoming more common with each passing day, and LastPass is no stranger to these.