As noted below, this issue has been fully addressed and an update with a fix was pushed for all Firefox users using LastPass 4.0. Once there, Ormandy demonstrated that the website could then execute LastPass actions in the background without the user’s knowledge, such as deleting items. First, an attacker would need to successfully lure a LastPass user to a malicious website. The second report was made yesterday by Google Security Team researcher Tavis Ormandy, who contacted our team to report a message-hijacking bug that affected the LastPass Firefox addon. All browser clients were updated and Karlsson confirmed our fix at that time, requiring no action from our users. ![]() Karlsson recently posted his findings on the URL parsing bug. The first report was responsibly disclosed to our team over a year ago by security researcher Mathias Karlsson, and fixed at that time. Notably, both exploits do require tricking a user via a phishing attack into going to a malicious website. One report was disclosed yesterday, while the other report was responsibly reported and fixed over a year ago. In follow-up to recent news, we want to address in more detail two security reports that have been disclosed to our team. ![]() Our first priority is always responding to and fixing reports as quickly as possible. Security is fundamental to what we do here at LastPass.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |