LastPass Hacked – Leaking Passwords Via Chrome Extension

Outsmart Malicious Hackers


LastPass Hacked – Leaking Passwords is not new, last week its Firefox extension was picked apart – now this week it’s Chrome extension is giving up its goodies. I’ve always found LastPass a bit suspect, even though they are super easy to use, and have a nice UI they’ve had TOO many serious security issues for a company protecting millions of people.

LastPass Hacked - Leaking Passwords Via Chrome Extension


It’s a shame Passpack isn’t being updated actively as architecturally it seems like a much better product, the UI is shit though and it’s buggy for managing mass user accounts.

Password vault LastPass is scrambling to patch critical security flaws that malicious websites can exploit to steal millions of victims’ passphrases.

The programming cockups were spotted by Tavis Ormandy, a white-hat hacker on Google’s crack Project Zero security team. He found that the LastPass Chrome extension has an exploitable content script that evil webpages can attack to extract usernames and passwords.

LastPass works by storing your passwords in the cloud. It provides browser extensions that connect to your LastPass account and automatically fill out your saved login details when you surf to your favorite sites.

However, due to the discovered vulnerabilities, simply browsing a malicious website is enough to hand over all your LastPass passphrases to strangers. The weak LastPass script uncovered by Ormandy can be tricked into granting access to the manager’s internal mechanisms, which is rather bad news.

The script can also be abused to execute commands on the victim’s computer – Ormandy demonstrated this by running calc.exe simply by opening a webpage. A malicious website could exploit this hole to drop malware on a visiting machine. A victim must have the binary component of LastPass installed to be vulnerable to this attack.


This LastPass Hacked issue is a pretty major vulnerability for a company that is supposed to make your passwords MORE secure, not leak them to any malicious site that has also figured out the same stuff Tavis spotted.

After advocating password managers for a long time, this is not a good look.

The password manager developer has experience with Ormandy after he found another flaw in its code last year that could compromise a punter’s passwords just by visiting the wrong website.

“We greatly appreciate the work of the security community to challenge our product and uncover areas that need improvement,” Joe Siegrist, cofounder and VP of LastPass, told The Register.

“We have made our LastPass community aware of the report made by Tavis Ormandy and have confirmed that the vulnerabilities have been fixed. We were notified early on – our team worked directly with Tavis to verify the report made, and worked quickly to issue the fix. As always, we recommend that users keep their software updated to the latest versions.”

It appears LastPass’s fix for the Chrome extension issue was to quickly disable 1min-ui-prod.service.lastpass.com – although some say the server is still working for them, so they are still vulnerable. That LastPass backend system resolves to 23.72.215.179 for us right now, and is still up.

There’s also the flip-side that LastPass is a popular product so it’s more likely people are going to find flaws in it, more eyes on it and all that – and in the end, these discovered flaws make the product much more secure than smaller competitors that undergo less public scrutiny.

Or not, who knows.

An older story about LastPass hacked here: Password Manager Security – LastPass, RoboForm Etc Are Not That Safe

Source: The Register

Posted in: Hacking News

, , , , ,


Latest Posts:


SQLiv - SQL Injection Dork Scanning Tool SQLiv – SQL Injection Dork Scanning Tool
SQLiv is a Python-based massive SQL Injection dork scanning tool which uses Google, Bing or Yahoo for targetted, multiple-domain or reverse domain scans.
OSSIM Download - Open Source SIEM Tools & Software OSSIM Download – Open Source SIEM Tools & Software
OSSIM is a popular Open Source SIEM or Security Information and Event Management (SIEM) product, providing event collection, normalization and correlation.
What You Need To Know About KRACK WPA2 Wi-Fi Attack What You Need To Know About KRACK WPA2 Wi-Fi Attack
The Internet has been blowing up in the past week about the KRACK WPA2 attack that is extremely widespread and is a flaw in the Wi-Fi standard itself.
Spaghetti Download - Web Application Security Scanner Spaghetti Download – Web Application Security Scanner
Spaghetti is an Open-source Web Application Security Scanner, it is designed to find various default and insecure files, configurations etc.
Taringa Hack - 27 Million User Records Leaked Taringa Hack – 27 Million User Records Leaked
The Taringa hack is actually one of the biggest leaks of the year with 27 million weakly hashed passwords breached, but it's not often covered in the West.
A2SV - Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed A2SV – Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed
A2SV is a Python-based SSL Vulnerability focused tool that allows for auto-scanning and detection of the common and well-known SSL Vulnerabilities.


4 Responses to LastPass Hacked – Leaking Passwords Via Chrome Extension

  1. Jonathon March 23, 2017 at 8:27 am #

    Who the fuck visits malicious websites? As long as you don’t, you don’t need to worry.

  2. Lastpass Victim April 10, 2017 at 6:20 pm #

    Thank you so much for leaking my password lastpass. My passwords were compromised recently for some of my user accounts. After investigating all around, i landed to this article. It says it all. Removed chrome extension immediately and deleting my account from lastpass as a next step. Wish these companies never exisit

  3. Anton May 12, 2017 at 10:02 pm #

    There was an article from 2016 which described a similar issue with the firefox extension: https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/