LastPass Hacked – Leaking Passwords Via Chrome Extension

The New Acunetix V12 Engine


LastPass Hacked – Leaking Passwords is not new, last week its Firefox extension was picked apart – now this week it’s Chrome extension is giving up its goodies. I’ve always found LastPass a bit suspect, even though they are super easy to use, and have a nice UI they’ve had TOO many serious security issues for a company protecting millions of people.

LastPass Hacked - Leaking Passwords Via Chrome Extension


It’s a shame Passpack isn’t being updated actively as architecturally it seems like a much better product, the UI is shit though and it’s buggy for managing mass user accounts.

Password vault LastPass is scrambling to patch critical security flaws that malicious websites can exploit to steal millions of victims’ passphrases.

The programming cockups were spotted by Tavis Ormandy, a white-hat hacker on Google’s crack Project Zero security team. He found that the LastPass Chrome extension has an exploitable content script that evil webpages can attack to extract usernames and passwords.

LastPass works by storing your passwords in the cloud. It provides browser extensions that connect to your LastPass account and automatically fill out your saved login details when you surf to your favorite sites.

However, due to the discovered vulnerabilities, simply browsing a malicious website is enough to hand over all your LastPass passphrases to strangers. The weak LastPass script uncovered by Ormandy can be tricked into granting access to the manager’s internal mechanisms, which is rather bad news.

The script can also be abused to execute commands on the victim’s computer – Ormandy demonstrated this by running calc.exe simply by opening a webpage. A malicious website could exploit this hole to drop malware on a visiting machine. A victim must have the binary component of LastPass installed to be vulnerable to this attack.


This LastPass Hacked issue is a pretty major vulnerability for a company that is supposed to make your passwords MORE secure, not leak them to any malicious site that has also figured out the same stuff Tavis spotted.

After advocating password managers for a long time, this is not a good look.

The password manager developer has experience with Ormandy after he found another flaw in its code last year that could compromise a punter’s passwords just by visiting the wrong website.

“We greatly appreciate the work of the security community to challenge our product and uncover areas that need improvement,” Joe Siegrist, cofounder and VP of LastPass, told The Register.

“We have made our LastPass community aware of the report made by Tavis Ormandy and have confirmed that the vulnerabilities have been fixed. We were notified early on – our team worked directly with Tavis to verify the report made, and worked quickly to issue the fix. As always, we recommend that users keep their software updated to the latest versions.”

It appears LastPass’s fix for the Chrome extension issue was to quickly disable 1min-ui-prod.service.lastpass.com – although some say the server is still working for them, so they are still vulnerable. That LastPass backend system resolves to 23.72.215.179 for us right now, and is still up.

There’s also the flip-side that LastPass is a popular product so it’s more likely people are going to find flaws in it, more eyes on it and all that – and in the end, these discovered flaws make the product much more secure than smaller competitors that undergo less public scrutiny.

Or not, who knows.

An older story about LastPass hacked here: Password Manager Security – LastPass, RoboForm Etc Are Not That Safe

Source: The Register

Posted in: Hacking News

, , , , ,


Latest Posts:


Domained - Multi Tool Subdomain Enumeration Domained – Multi Tool Subdomain Enumeration
Domained is a multi tool subdomain enumeration tool that uses several subdomain enumeration tools and wordlists to create a unique list of subdomains.
Acunetix Vulnerability Scanner For Linux Now Available Acunetix Vulnerability Scanner For Linux Now Available
Acunetix Vulnerability Scanner For Linux is now available, now you get all of the functionality of Acunetix, with all of the dependability of Linux.
Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.


4 Responses to LastPass Hacked – Leaking Passwords Via Chrome Extension

  1. Jonathon March 23, 2017 at 8:27 am #

    Who the fuck visits malicious websites? As long as you don’t, you don’t need to worry.

  2. Lastpass Victim April 10, 2017 at 6:20 pm #

    Thank you so much for leaking my password lastpass. My passwords were compromised recently for some of my user accounts. After investigating all around, i landed to this article. It says it all. Removed chrome extension immediately and deleting my account from lastpass as a next step. Wish these companies never exisit

  3. Anton May 12, 2017 at 10:02 pm #

    There was an article from 2016 which described a similar issue with the firefox extension: https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/