Firefox Extension Security Update

By September 16, 2016 Security News 6 Comments

Security remains our highest priority here at LastPass, including quickly responding to and fixing reports of bugs or vulnerabilities. Today, we have a security update regarding previous fixes to the LastPass Firefox extension. This update was in response to recommendations provided by Wladimir Palant, a security researcher and maker of the popular Firefox addon AdBlock Plus, who approached us shortly after a previous security report.

Palant approached specifically to point out potential vulnerabilities with our URL parsing and message passing. While the URL parsing issues could not be exploited, we did improve upon our design per the recommendations Palant provided. The message passing vulnerability could potentially be exploited by luring a LastPass user on Firefox to a malicious website and then tricking the LastPass extension into executing actions in the background without the user’s knowledge. We have no evidence of these vulnerabilities being exploited, and we quickly issued fixes to address Palant’s concerns.

Firefox users have received the automatic update to version 4.1.26 with the fix. No action should be needed, but you can check to see if you are running the latest version by clicking on the LastPass Icon > Tools > About. The latest update is currently available on our downloads page.

Please note that the reported issues only affected the LastPass Firefox extension versions between 4.0 and 4.1.21 and did not affect the LastPass extension version 3.3.1 available in the Mozilla Addons store at addons.mozilla.org.

Again, we thank Palant for his responsible disclosure and for working with our team to make LastPass even stronger and more secure. We truly value the important work that the security research community provides. As a reminder, we welcome reports and suggested security improvements via our bug bounty program at https://bugcrowd.com/lastpass.

6 Comments

  • Tim Turner says:

    Firefox users have received the automatic update to version 4.1.26? Is that supposed to be the Firefox version? Mine is 48.0.2. My Last Pass appears to be 3.3.1, what program are you talking about here? I see no way to check for LastPass updates.

    • Amber Gott says:

      Hi Tim, you are currently running the version available in the Firefox addons store at addons.mozilla.org. That version was not affected, and no action is needed on your part. This new version is not yet available in the Firefox addons store.

  • Don Taber says:

    I received this notice on 9/16 and immediately checked the version of the LP extension in Firefox. It’s 4.1.29. . . not 4.1.26. . . and was installed on 9/2. Strange to be getting a notice 2 weeks after the Firefox LP extension has already been updated PAST 4.1.26 to 4.1.29.

    • Amber Gott says:

      Hi Don, we immediately investigate and fix the reported vulnerabilities. Once complete and we’ve issued the automatic updates to protect all users, we wait to publicly disclose until we can confirm that all partners have also issued the updates. I can confirm that the latest is 4.1.29 as of today.

  • Anonymous says:

    Mine says 4.1.29a dates 9/4/16