Vuln: LastPass for Firefox Security Bypass Vulnerability

Bugtraq ID: 97043
Class: Unknown
CVE:
Remote: Yes
Local: No
Published: Mar 21 2017 12:00AM

Credit: Travis Ormandy
Vulnerable: LastPass LastPass 2.5.1
LastPass LastPass 2.0.4
LastPass LastPass 4.1.21a
LastPass LastPass 4.1.20a

Not Vulnerable: LastPass LastPass 4.1.36a

Discussion

LastPass for Firefox Security Bypass Vulnerability

LastPass is prone to a security-bypass vulnerability.

Attackers can exploit this issue to bypass certain security restrictions to perform unauthorized actions.

Versions prior to LastPass 4.1.36a are vulnerable.

Exploit

LastPass for Firefox Security Bypass Vulnerability

The researcher who discovered this issue has created a proof-of-concept. Please see the references for more information.

References

LastPass for Firefox Security Bypass Vulnerability

References:

Lastpass Homapage (Lastpass)
LastPass: FireFox error pages still load Content Scripts, allowing access to Ext (Google)

Exploit Collector

Search Exploit