Security remains our highest priority here at LastPass, including quickly responding to and fixing reports of bugs or vulnerabilities. Today, we have a security update regarding previous fixes to the LastPass Firefox extension. This update was in response to recommendations provided by Wladimir Palant, a security researcher and maker of the popular Firefox addon AdBlock Plus, who approached us shortly after a previous security report.
Palant approached specifically to point out potential vulnerabilities with our URL parsing and message passing. While the URL parsing issues could not be exploited, we did improve upon our design per the recommendations Palant provided. The message passing vulnerability could potentially be exploited by luring a LastPass user on Firefox to a malicious website and then tricking the LastPass extension into executing actions in the background without the user’s knowledge. We have no evidence of these vulnerabilities being exploited, and we quickly issued fixes to address Palant’s concerns.
Firefox users have received the automatic update to version 4.1.26 with the fix. No action should be needed, but you can check to see if you are running the latest version by clicking on the LastPass Icon > Tools > About. The latest update is currently available on our downloads page.
Please note that the reported issues only affected the LastPass Firefox extension versions between 4.0 and 4.1.21 and did not affect the LastPass extension version 3.3.1 available in the Mozilla Addons store at addons.mozilla.org.
Again, we thank Palant for his responsible disclosure and for working with our team to make LastPass even stronger and more secure. We truly value the important work that the security research community provides. As a reminder, we welcome reports and suggested security improvements via our bug bounty program at https://bugcrowd.com/lastpass.