Engineers at LastPass fixed three different vulnerabilities in the password manager over the last 24 hours, all discovered by Google Project Zero researcher Tavis Ormandy, which could have allowed for the theft of passwords.
One of the issues, a remote code execution vulnerability that could have enabled the proxying of internal Remote Procedure Call (RPC) commands, was fixed Tuesday morning.
Fixes for two other vulnerabilities, including one in LastPass’ Firefox add-on and another in LastPass for Firefox, were pushed Wednesday morning.
Ormandy disclosed bug reports for the last two vulnerabilities on Wednesday and commended the company for the fast fixes.
— Tavis Ormandy (@taviso) March 22, 2017
Ormandy first disclosed the LastPass for Firefox vulnerability in a since-deleted tweet on Tuesday night, warning it could allow the theft of passwords for any domain. Little was known about the vulnerability, other than that it existed in version 4.1.35, until early Wednesday morning when LastPass released 4.1.36a to address the issue.
According to the Project Zero bug tracker report, the LastPass for Firefox vulnerability was similar to the remote code execution bug, Ormandy claims, because the browser loads content scripts into error pages, which could let an attacker run arbitrary script to read back a user’s password.
LastPass, for its part, acknowledged Ormandy’s remote code execution bug early Tuesday morning and said it had put a workaround in place. The company said on Twitter it resolved the bug later that morning and that it was working on a blog post to recap additional details around the vulnerability.
We are aware of the report by @taviso and our team has put a workaround in place while we work on a resolution. Stay tuned for updates.
— LastPass (@LastPass) March 21, 2017
The issue reported by Tavis Ormandy has been resolved. We will provide additional details on our blog soon.
— LastPass (@LastPass) March 21, 2017
In a blog entry on Wednesday morning the company confirmed the vulnerability existed in all LastPass clients, Chrome, Firefox, and Edge, and stemmed from “an experimental user onboarding feature” that was released.
The researcher said he discovered the bug, which affects version 4.1.42 of the service on Chrome and Firefox, after noticing an entry in the service’s websiteconnector.js content script that can proxy unauthenticated window messages to the extension.
Oops, new LastPass bug that affects 4.1.42 (Chrome&FF). RCE if you use the "Binary Component", otherwise can steal pwds. Full report on way. pic.twitter.com/y92vm3Ibxd
— Tavis Ormandy (@taviso) March 20, 2017
The researcher said that on its own, the bug could allow for the access of internal privileged RPCs, something that could in turn allow “complete control of the LastPass extension, including stealing passwords.” If a user had Binary Component installed, an attacker could use “openattach” to run arbitrary code.
Ormandy warned last Wednesday of a third vulnerability that affected version 3.3.2 of LastPass’ Firefox add-on, posting a redacted screenshot of the exploit code:
— Tavis Ormandy (@taviso) March 16, 2017
LastPass incorporated a fix for that vulnerability into version 3.3.4 of the add-on, released Wednesday morning. Firefox users should be automatically updated to the latest version, Ormandy said.
It took a few days but the company confirmed it was aware of a vulnerability that affected a Firefox add-on, presumably the same issue Ormandy raised to the company, on Tuesday night.
We are aware of reports of a Firefox add-on vulnerability. Our security is investigating and working on issuing a fix.
— LastPass (@LastPass) March 22, 2017
As Ormandy pointed out on Twitter Tuesday, Firefox add-ons customarily have to undergo a review by Mozilla before they’re pushed live, something which likely held up the fix from being pushed until this morning.
Since LastPass patched the issues, details around all three of the bugs, including a link to Ormandy’s RCE exploit, were made public by Google’s Project Zero on Tuesday. Under Project Zero guidelines, Google releases bug reports either 90 days after a private disclosure, or after a patch has been made broadly available.
Tod Beardsley, research director at Rapid7 thought releasing details around the bugs so quickly after disclosing it to the company was a head scratcher however.
“It’s a little puzzling why Google publicly disclosed this issue merely 37 hours after the initial private disclosure to LastPass,” Beardsley said Wednesday, “The issue doesn’t appear to be so grave as to warrant a fast track to disclosure, and even if it was, I would generally expect at least a couple days’ of grace period to allow for a more coordinated disclosure.”
Regardless, the issues appear to be the latest among several bumps in the road for the password manager, especially when it comes to bugs identified by the Project Zero researcher. Ormandy made headlines last summer after he said on Twitter that he had found “a bunch of obvious critical problems” in the service. LastPass was quick to fix the most concerning issue, which like this week’s, could have allowed access to privileged LastPass RPCs, but also led to a complete remote compromise.