LastPass on Monday acknowledged a remote code execution vulnerability that affects version 4.1.42 of the LastPass extension on Chrome.
The client side vulnerability was discovered over the weekend by Google Project Zero researcher Tavis Ormandy.
“We are now actively addressing the vulnerability. This attack is unique and highly sophisticated,” LastPass wrote in a blog post.
LastPass didn’t give specifics about the vulnerability or when a fix may be released, but promised more details when the issue is resolved.
Ormandy previously found exploits in earlier versions of LastPass on March 20, and said it was possible to proxy untrusted messages to LastPass. LastPass updated its users the same day with an incident report that detailed all “extensions have been patched and are being re-released to users”.
Ormandy hasn’t released details surrounding the latest vulnerability detailed by LastPass on Monday, but said in a tweet it’s a new exploit.
Writing in the Project Zero issue tracker on March 20, Ormandy said the version’s vulnerability was possible to proxy untrusted messages to LastPass.
“This allows complete access to internal privileged LastPass RPC commands,” the researcher said. “There are hundreds of internal LastPass RPCs, but the obviously bad ones are things copying and filling in passwords (copypass, fillform, etc).”
Furthermore, if a user had the LastPass binary component installed, the system was vulnerable to remote code execution.
LastPass is encouraging its users to use LastPass Vault to launch sites directly, be aware of phishing attacks, and enable two-factor authentication where they can.
LastPass was purchased by LogMeIn for $110 million in October 2015.