A patch has been released for a vulnerability in the popular password manager LastPass, after it was reported by Google security researcher Tavis Ormandy. Shortly after the patch was announced, Ormandy found another leak.
At the new leak goes It’s a vulnerability in version 4.1.35 of the password manager software for Firefox, which makes it possible to steal passwords from any domain. LogMeIn subsidiary LastPass say to work on a solution. The vulnerabilities that Google’s Project Zero employee Ormandy finds are usually quickly patched by LastPass. On Tuesday, Ormandy previously reported a leak to the service, for which there is now a patch released.
Ormandy’s analysis shows that the previously reported vulnerability was present in version 4.1.42 of LastPass’ Chrome and Firefox extensions. This made it possible for an attacker to steal passwords. In addition, if the binary component was used, it was possible to execute arbitrary code on the victim’s system.
Earlier this month, the researcher reported a third leak to the service, which was present in the Firefox extension. A LastPass spokesperson told The Register that the patch for this vulnerability has yet to be approved by Mozilla. The leaks reported this month aren’t the first vulnerabilities Ormandy finds in LastPass. He previously did this in July 2016. LastPass is a password manager that stores passwords on its own servers. Other variants, such as KeePass, store them in a local database.