Once on the website, the attacker could make calls into LastPass APIs, or in some cases run arbitrary code, while appearing as a trusted party. The two new vulnerabilities, one involving a website connector bug and the other being a Firefox based message hijacking bug, were discovered by Tavis Ormandy, a security researcher on Google’s Project Zero team. To exploit these vulnerabilities, an attacker would start out by luring a user to a malicious website. For the second time in a few months, LastPass had to address serious security flaws in its password manager browser extensions, this time in both Google Chrome and Mozilla Firefox.
0 Comments
Leave a Reply. |