A hacker by the name of Tavis Ormandy recently discovered many vulnerabilities in the Firefox and Chrome extensions of Lastpass. The vulnerabilities allowed attackers to steal passwords of any user running version 3.2.2 of the extension.
The first exploit was reported on March 15; Ormandy wrote proof of concepts of the flaws and the LastPass team quickly moved to patch the vulnerabilities. The description on the Project Zero bug tracker stated the flaw could provide “complete access to internal privileged LastPass RPC commands. There are hundreds of internal LastPass RPCs, but the obviously bad ones are things copying and filling in passwords (copypass, fillform, etc)“ Per reports, the first vulnerability was patched on Tuesday on the server side, with the rest being patched in the newest version of the Firefox extension, 4.1.36a released yesterday.
In a blog post by the LastPass developers, “We have no indication that any of the reported vulnerabilities were exploited in the wild, but we’re doing a thorough review at this time to confirm.”