Zero-day hole can pwn millions of LastPass users, all that's needed is a malicious site

Updated A dangerous zero-day vulnerability has been found in popular cloud password vault LastPass, which The Register has been told can completely compromise user accounts.

Many millions of people can right now be compromised by merely visiting a malicious website using Firefox with LastPass's software installed, we understand. This allows attackers complete access to user accounts in which hundreds and thousands of passwords are stored.

Little else is known of the flaw, found by proven and prolific white hat security researcher Tavis Ormandy, but the Google Project Zero hacker has form; he has torn apart every major antivirus platform finding horrific bugs including a zero-interaction remote code execution and wormable hole in Symantec kit, vulnerabilities in Avast offerings, server-side pain in Malwarebytes, and failures in Comodo, Kasperksy, and Bromium.

Are people really using this lastpass thing? I took a quick look and can see a bunch of obvious critical problems. I'll send a report asap.

— Tavis Ormandy (@taviso) July 26, 2016

Full report sent to LastPass, they're working on it now. Yes, it's a complete remote compromise. Yes, I promise I'll look at 1Password.

— Tavis Ormandy (@taviso) July 27, 2016

The bug will still need to be probed by LastPass before patches can be brewed and distributed. There is no news yet of in-the-wild attacks. Ormandy will set his sights on popular password vault 1Password after this audit. ®

Updated to add

LastPass says it has now fixed the bug found by Ormandy, says it affects Firefox users, and has pushed an update to LastPass 4.0 users to close the hole detailed here.

PS: Mathias Karlsson of Detectify Labs also found a password-extraction flaw in LastPass, which has been fixed.