It's been a very busy week for the folks at LastPass. Google security researcher Tavis Ormandy has reported several vulnerabilities to LastPass. The first vulnerability is with the Chrome extension and it can expose all of your LastPass passwords by just visiting a malicious website. Ormandy stated "This allows complete access to internal privileged LastPass RPC [remote procedure call] commands. There are hundreds of internal LastPass RPCs, but the obviously bad ones are things copying and filling in passwords (copypass, fillform, etc)." LastPass has implemented a server-side workaround to address the problem until a fix can be distributed.
That leaves two more vulnerabilities that have not been fixed. One is a bug dealing with the "Binary Component" that impacts Chrome and Firefox. The second one deals with version 3.3.2 of the Firefox add-on. LastPass said it is working on fixing all the vulnerabilities and should have updates out shortly, which will automatically be distributed. You may want to disable the Chrome and Firefox extensions for now just to be safe(r).
E-mail: email@example.com Phone: 703.359.0700
Digital Forensics/Information Security/Information Technology