STE WILLIAMS

Zero-day hole can pwn millions of LastPass users, all that’s needed is a malicious site

A dangerous zero-day vulnerability has been found in popular cloud password vault LastPass, which The Register has been told can completely compromise user accounts.

Many millions of users can right now be compromised by merely visiting a malicious website, we understand.

This allows attackers complete access to user accounts in which hundreds and thousands of passwords are stored.

Little else is known of the flaw, found by proven and prolific white hat security researcher Tavis Ormandy, but the Google Project Zero hacker has form; he has torn apart every major antivirus platform finding horrific bugs including a zero-interaction remote code execution and wormable hole in Symantec kit, vulnerabilities in Avast offerings, server-side pain in Malwarebytes, and failures in Comodo, Kasperksy, and Bromium.

The bug will still need to be replayed by LastPass before patches are brewed. There is no news yet of in-the-wild attacks. Ormandy will set sights on popular password vault 1Password after this audit. ®

PS: Detectify Lab also found a password-extraction flaw in LastPass this month that has been fixed.

Sponsored:
The Nuts and Bolts of Ransomware in 2016

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2016/07/27/zero_day_hole_can_pwn_millions_of_lastpass_users_who_visit_a_site/

Comments are closed.