#Lastpass extension firefox not update#
In addition to the new website connector vulnerability, the Firefox bug from July came back, due to the fact that an update was not pushed to legacy Firefox versions, keeping the vulnerability open for those using older versions of Mozilla’s web browser. The company said that it has no indications that any user data has been stolen. Users running the LastPass binary component (less than 10% of LastPass user base) were further susceptible to remote exploit when lured to a malicious website,” said Lauren VanDam of LastPass. A malicious website could trick LastPass by masking as a trusted party and steal site credentials. “An issue with the architecture for a consumer onboarding feature affected clients on which that code appeared (Chrome, Firefox, Edge). Doing so would allow the attacker to potentially retrieve and expose information from the LastPass account, such as a user’s login credentials. Once on the website, the attacker could make calls into LastPass APIs, or in some cases run arbitrary code, while appearing as a trusted party. The two new vulnerabilities, one involving a website connector bug and the other being a Firefox based message hijacking bug, were discovered by Tavis Ormandy, a security researcher on Google’s Project Zero team. To exploit these vulnerabilities, an attacker would start out by luring a user to a malicious website.
For the second time in a few months, LastPass had to address serious security flaws in its password manager browser extensions, this time in both Google Chrome and Mozilla Firefox.
0 kommentar(er)
