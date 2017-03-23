LastPass has had to patch a flaw in one of its browser extensions that could have enabled hackers to steal passwords from users after visiting a malicious website.

LastPass is a popular password manager which stores encrypted passwords in private accounts. It offers free and paid-for versions.

Two vulnerabilities were found by seasoned security researcher Tavis Ormandy who works for Google's Project Zero.

According to a security advisory posted by Ormandy, the flaw affecting the LastPass Chrome extension works by attacking an intermediary JavaScript code between a browser and LastPass' cloud service, which stores user passwords.

“This script will proxy unauthenticated window messages to the extension. This is clearly a mistake,” he said in the advisory. “This allows complete access to internal privileged LastPass RPC commands. There are hundreds of internal LastPass RPCs, but the obviously bad ones are things copying and filling in passwords (copypass, fillform, etc).”

Ormandy developed proof-of-concept code that launches an application (in this case Windows Calculator), via this JavaScript code. The code could be altered to steal user passwords before they are populated in the browser's username and password fields.

“There are a lot of RPCs, allowing complete control of the LastPass extension, including stealing passwords. If you have the 'Binary Component' installed, this even allows arbitrary code execution,” added Ormandy.

LastPass tweeted that it had already fixed the issue reported by the Google researcher and would publish further details later.

A second bug affects LastPass's Firefox add-on version 3.3.2 only. According to Ormandy, this only affects LastPass' Firefox extension, version 3.3.2. As with the Chrome extension, the flaw can be exploited by malicious webpages to extract passwords from the manager. This version of the LastPass add-on is set to be retired by the firm.

Ormandy has also found a similar bug in LastPass version 4.1.35 for Firefox. The researcher is gaining quite a reputation in finding bugs with LastPass. In July last year, he discovered a flaw in LastPass that allowed remote code execution.

This article originally appeared at scmagazineuk.com