“We will soon provide a more comprehensive summary of the events and what our community needs to know.” “We have no indication that any of the reported vulnerabilities were exploited in the wild, but we’re doing a thorough review at this time to confirm,” the company said in the blog post. LastPass is not currently asking users to update any passwords. (Ormandy reported multiple vulnerabilities, although the company said they are “largely the same.”) The company issued a fix before the vulnerability was publicly revealed, and says updates for users should be applied automatically. LastPass, in a short blog post released today, explained that the issue was related to an experimental feature on all LastPass browser clients. By exploiting the problem, a hacker could obtain access to privileged LastPass commands - including “the obviously bad ones,” such as “copying and filling in passwords (copypass, fillform, etc).” In an outline of the problem, Ormandy explains that a coding flaw allowed anyone to “proxy” unauthenticated messages to a LastPass browser extension. On Monday, Google researcher Tavis Ormandy reported the vulnerability in the popular password management tool. A hacker could have accessed “obviously bad” LastPass commands
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
December 2022
Categories |