Ormandy spotted the latest flaw when he figured out a how to get codeexec in LastPass 4.1.43. during an epiphany he had in his morning shower.
Ormandy spotted the latest flaw when he figured out a how to get codeexec in LastPass 4.1.43. during an epiphany he had in his morning shower.

For the second time in two weeks, Google Project Zero team researcher Tavis Ormandy has discovered a critical vulnerability in LastPass password manager that will allow attackers to steal passwords or infect users with malware.

Ormandy spotted the latest flaw when he figured out a how to get codeexec in LastPass 4.1.43. during an epiphany he had in his morning shower earlier this week, according to a March 25 tweet Ormandy sent.

LastPass described the client-side vulnerability as “unique and highly sophisticated” in a March 27 security update and said it is actively addressing the vulnerability thought it didn't provide further details.

Ormandy said the flaw affects the latest version of the LastPass browser extension for all major browsers and claims to have successfully tested it on Windows and Linux and believes it will likely work on Mac.

Last week, Ormandy spotted a separate vulnerability affecting the LastPass Chrome extension works by attacking an intermediary JavaScript code between a browser and the LastPass cloud service, which stores user passwords.