Security System remains our most elevated need here at LastPass, including rapidly reacting to and settling reports of bugs or vulnerabilities. Today, we have a security refresh with respect to past fixes to the LastPass Firefox expansion. This refresh was in light of suggestions gave by Wladimir Palant, a security scientist and creator of the mainstream Firefox addon AdBlock Plus, who moved toward us not long after a past security report.
Palant moved toward particularly to call attention to potential vulnerabilities with our URL parsing and message passing. While the URL parsing issues couldn’t be misused, we improved upon our plan per the proposals Palant gave. The message passing weakness could possibly be misused by baiting a LastPass client on Firefox to a pernicious site and afterward deceiving the LastPass augmentation into executing activities out of sight without the client’s learning. We have no proof of these vulnerabilities being abused, and we immediately issued fixes to address Palant’s worries.
Firefox clients have gotten the programmed refresh to variant 4.1.26 with the fix. No activity ought to be required, yet you can verify whether you are running the most recent form by tapping on the LastPass Icon > Tools > About. The most recent refresh is at present accessible on our downloads page.
If it’s not too much trouble take note of that the revealed issues just influenced the LastPass Firefox augmentation forms in the vicinity of 4.0 and 4.1.21 and did not influence the LastPass expansion variant 3.3.1 accessible in the Mozilla Addons store at addons.mozilla.org.
Once more, we express gratitude toward Palant for his dependable revelation and for working with our group to influence LastPass much more grounded and more to secure. We really esteem the imperative work that the security look into group gives. As an update, we invite reports and recommended security enhancements by means of our bug abundance program at https://bugcrowd.com/lastpass.