Internet vulnerabilities are becoming more common with each passing day, and is no stranger to these. LastPass is a widely used password management service, and just last week, a Google Project Zero researcher named Tavis Ormandy had several vulnerabilities in the service that were patched up shortly after. Now however, a new vulnerability has come to light, and the password management service says it is working to fix it.
Once again by Ormandy, the client-side vulnerability allows for remote code execution (RCE) in the LastPass v4.1.43 extension for Chrome. Ormandy on Sunday shared details with LastPass, which on the same day it was aware of the issue and asked users to stay tuned for more details.
In a blog on Monday, LastPass said it is “actively addressing the vulnerability”, and that the attack demonstrated by Ormandy was “unique and highly sophisticated.” It didn’t reveal any further details.
“We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post mortem once this work is complete.”
“In the meantime, we want to thank people like Tavis who help us raise the bar for online security with LastPass, and work with our teams to continue to make LastPass the most secure password manager on the market,” LastPass wrote in its blog post on Monday.
In the post, LastPass also laid down some best practices for users, including using the LastPass Vault as a launch pad, enabling two-factor authentication on any service that offers it, and to be wary of phishing attacks.