LastPass fixed one, is currently fixing the second. July 27, 2016, will not be remembered as a quiet day for the LastPass team, as two vulnerabilities surfaced online that could allow an attacker to compromise their application.
The first one is an issue discovered by Mathias Karlsson of Detectify. The researcher explains in a blog post that the problem resided in the JavaScript code that parsed the URL of the page LastPass was working on.
LastPass could be tricked into spewing out credentials for other sites
He discovered that by tricking a user into accessing a URL in the form of attacker-site.com/@twitter.com/@script.php, the LastPass URL parsing function would be fooled into thinking it was on the twitter.com site, instead of attacker-site.com.
Because LastPass comes with an auto-fill function, the application would have pre-filled any login forms on that page with the user’s credentials.
If the attacker ran JavaScript code on that site that automatically parsed and recorded any text filled in the login forms, he would have been able to extract the user’s credentials.
The good news is that Karlsson informed LastPass of the issue a while back, and the dev team fixed the problem on the same day, pushing out an update to their app.
Project Zero researcher finds second bug
However, Karlsson wasn’t the only one who hacked LastPass. Google Project Zero top researcher Tavis Ormandy also discovered an issue that would have led to a complete LastPass compromise.
The bad news is that this issue is not patched in current LastPass versions. The good news is that nobody except Ormandy and the LastPass team knows what this problem is, making it highly improbable for anyone to exploit it.
Source:http://news.softpedia.com/
WebImprints - Data Security Company 