Security

Zero-day hole can pwn millions of LastPass users, all that's needed is a malicious site

Remote 'complete account compromise' possible, Google hacker finds


Updated A dangerous zero-day vulnerability has been found in popular cloud password vault LastPass, which The Register has been told can completely compromise user accounts.

Many millions of people can right now be compromised by merely visiting a malicious website using Firefox with LastPass's software installed, we understand. This allows attackers complete access to user accounts in which hundreds and thousands of passwords are stored.

Little else is known of the flaw, found by proven and prolific white hat security researcher Tavis Ormandy, but the Google Project Zero hacker has form; he has torn apart every major antivirus platform finding horrific bugs including a zero-interaction remote code execution and wormable hole in Symantec kit, vulnerabilities in Avast offerings, server-side pain in Malwarebytes, and failures in Comodo, Kasperksy, and Bromium.

The bug will still need to be probed by LastPass before patches can be brewed and distributed. There is no news yet of in-the-wild attacks. Ormandy will set his sights on popular password vault 1Password after this audit. ®

Updated to add

LastPass says it has now fixed the bug found by Ormandy, says it affects Firefox users, and has pushed an update to LastPass 4.0 users to close the hole detailed here.

PS: Mathias Karlsson of Detectify Labs also found a password-extraction flaw in LastPass, which has been fixed.

Send us news
87 Comments

Microsoft Copilot for Security prepares for April liftoff

Automated AI helper intended to make security more manageable

In the rush to build AI apps, please, please don't leave security behind

Supply-chain attacks are definitely possible and could lead to data theft, system hijacking, and more

March Patch Tuesday sees Hyper-V join the guest-host escape club

Critical bugs galore among 61 Microsoft fixes, 56 from Adobe, a dozen from SAP, and a fistful from Fortinet

Infosec teams must be allowed to fail, argues Gartner

But failing to recover from incidents is unforgivable because 'adrenalin does not scale'

FreeBSD Foundation hands out Beacon gongs for safer software

Multiple CHERI-related projects win money for important research that prizes safety over speed

Row breaks out over true severity of two DNSSEC flaws

Some of us would be happy being rated 7.5 out of 10, just sayin'

Truck-to-truck worm could infect – and disrupt – entire US commercial fleet

The device that makes it possible is required in all American big rigs, and has poor security

Forget TikTok – Chinese spies want to steal IP by backdooring digital locks

Uncle Sam can use this snooping tool, too, but that's beside the point

Five Eyes tell critical infra orgs: Take these actions now to protect against China's Volt Typhoon

Unless you want to be the next Change Healthcare, that is

White House and lawmakers increase pressure on UnitedHealth to ease providers' pain

US senator calls cyber attack 'inexcusable,' calls for mandatory security rules

Beijing-backed cyberspies attacked 70+ orgs across 23 countries

Plus potential links to I-Soon, researchers say

Don't be like these 900+ websites and expose millions of passwords via Firebase

Warning: Poorly configured Google Cloud databases spill billing info, plaintext credentials
BREAKING NEWS: FTX crypto-crook Sam Bankman-Fried gets 25 years in prison