Important Security Updates for Our Users

Update March 25, 2017 (5:00pm): Our team is currently investigating a new report by Tavis Ormandy and will update our community when we have more details. Thank you.

Incident Report: March 22nd, 2017 (2:30pm)

We want to provide an update to our community on the vulnerabilities recently reported by Tavis Ormandy, a security researcher on Google’s Project Zero team.

This is a long post, so you can get the need-to-know highlights in the overview, or dig into the details in the comprehensive summary below.


  • Two vulnerabilities were recently identified by security researcher Tavis Ormandy
  • Our investigation to date has not indicated that any sensitive user data was lost or compromised
  • All extensions have been patched and are being re-released to users
  • Our mobile apps for Android and iOS were not affected
  • No master password change is required
  • No site credential passwords need to be changed
  • Ensure you are running the latest versions
    • Most users will update automatically but the latest versions can always be downloaded from
    • Please check the LastPass Icon > More options > About LastPass to check your version
      • Firefox: 4.1.36
      • Chrome: 4.1.43
      • Edge: 4.1.30 (pending approval by Microsoft)
      • Opera: 4.1.28 (pending approval by Opera)

What happened

Tavis Ormandy, a researcher at Google’s Project Zero, reported two vulnerabilities to our team over the past week that affected many LastPass browser extensions. The reported issues affected both personal and business users.

To exploit the reported vulnerabilities, an attacker would first lure a user to a malicious website. Once on a malicious website, Tavis demonstrated how an attacker could make calls into LastPass APIs, or in some cases run arbitrary code, while appearing as a trusted party. Doing so would allow the attacker to potentially retrieve and expose information from the LastPass account, such as user’s login credentials.

Firefox 3.3.2 message-hijacking bug

What was reported:
Based on our URL parsing process in Firefox 3.3.2, malicious websites could spoof legitimate websites and fool the LastPass add-on into providing user site credentials.

This bug was reported to our team last year and fixed at that time. However, the fix was not pushed down to our legacy Firefox 3.3.x branch; this branch has been scheduled for formal retirement in April.

What you need to know:

Website connector bug

What was reported:
An issue with the architecture for a consumer onboarding feature affected clients on which that code appeared (Chrome, Firefox, Edge). A malicious website could trick LastPass by masking as a trusted party and steal site credentials. Users running the LastPass binary component (less than 10% of LastPass userbase) were further susceptible to remote exploit when lured to a malicious website.

The bug was first introduced in August 2016 when we released this experimental onboarding feature to our consumer users. The code, however, does live in all Chrome, Firefox, and Edge LastPass clients.

Upon notification of the vulnerability, the LastPass team immediately shut down the vulnerable service, and began work to update all affected clients.

While working on our client-side fix, Tavis tweeted (since deleted) about an additional issue. To clarify, this was the same issue across two distinct browsers. This caused some confusion around volume of issues and status of fixes.

What you need to know:

  • We have submitted updates to all affected clients to fully remove this vulnerability and re-released to all users.
  • Chrome and Firefox are live now, while Edge and Opera are awaiting app store approval.
  • As a part of that process, we conducted an exhaustive analysis of every other extension (as well as our installers) that leverage this code.

Full Timeline (Eastern US):

Firefox 3.3.2 message-hijacking bug

  • March 10th: LastPass announces formal deprecation of Firefox 3.3.x versions
  • March 15th 10:45pm: Firefox 3.3.2 message-hijacking vulnerability announced
  • March 15th 10:48pm: LastPass receives details of Firefox 3.3.2 bug and launches investigation
  • March 17th 8:43am: LastPass submits a patch to Mozilla with Firefox 3.3.4

Website connector bug

  • March 20th 7:20pm: Chrome 4.1.42 website connector bug announced
  • March 20th 7:36pm: LastPass cross-functional security investigation launched
  • March 21st 12:15am: LastPass shuts down offending service server-side
  • March 21st 7:04am: LastPass announces server-side workaround in place while we thoroughly analyze code and fully resolve client-side issues
  • March 22nd 12:10am: LastPass releases Firefox 4.1.36 with fix
  • March 22nd 12:07pm: LastPass releases Chrome 4.1.43 with fix
  • March 22nd 1:55pm: LastPass submits Edge 4.1.30 for release
  • March 22nd 2:49pm: LastPass releases Opera 4.1.28 with fix at; store pending release

Reminders on Personal Security Best Practices

We know LastPass users try to follow best practices, but these are always good reminders of how to protect your own machine and keep your data safe:

  • Beware of phishing attacks. Do not click on links from people you don’t know, or that seem out of character from your trusted contacts and companies.
  • Use a different, unique password for every online account.
  • Use a strong, secure master password for your LastPass account that you never disclose to anyone, including us.
  • Turn on two-factor authentication for LastPass and other services like your bank, email, Twitter, Facebook, etc.
  • Keep a clean machine by running antivirus and keeping your software up-to-date.

Looking Ahead

To prevent these issues in the future, we are reviewing and strengthening our code review and security processes in place today, particularly around new and experimental features.

It goes without saying that security is fundamental to what we do. We strive for transparency in responding to these issues. We greatly value the work that Tavis, Project Zero, and other white-hat researchers provide. We all benefit when this security model works for responsibly disclosing bugs, and are confident LastPass is stronger for the attention. We welcome contributions from all researchers via our bug bounty program at


March 22nd, 2017 (11:12am)

Over the past week, we have worked with Google security researcher Tavis Ormandy to investigate and fix reported vulnerabilities. We apologize for the delayed response as we’ve been conducting a thorough investigation on these reports in an effort to provide as much detail to you as possible. While we will soon be providing a postmortem, we wanted to share a quick summary for our community.

What Happened
On the night of March 20th, we received a report of an issue in our Chrome extension. We immediately investigated and released a server-side workaround within a few hours. The exploit applied to all LastPass clients – Chrome, Firefox, Edge – in which an experimental user onboarding feature was released.

Later on March 21st, another report came in related to Firefox 4.1.35a. In fact, this vulnerability is largely the same as the one reported the prior day, and affecting the 4.x Firefox addon. While this issue would have been addressed by our full fix to follow our workaround, this report was received before this could be released. We issued an update, Firefox 4.1.36a, around 12:15am ET today to specifically address that report.

The fixes are being pushed to all users and most should be updated automatically.

We have no indication that any of the reported vulnerabilities were exploited in the wild, but we’re doing a thorough review at this time to confirm. We will soon provide a more comprehensive summary of the events and what our community needs to know. No password changes are required of users at this time.


  • Brian says:

    Good reply. Fast response. Not sure what more LastPass users could ask for.

    I’m curious why Tavis Ormandy didn’t choose to release the vulnerability privately to LastPass before making it public.

  • Bryon Black says:

    Excellent and timely response. Vulnerability patched via workaround until a more permanent fix could be deployed. Of course we would love all the gory details sooner but knowing that a workaround was in place and that a full solution was in the works was a perfect response. The response is on point, I will continue to use and recommend LastPass.


  • Andy says:

    Really pleased to see an official response from LastPass on this subject. Thank you very much. Well written, succinct and reasoned with a suitable amount of detail to assist me to understand not only that the issue was resolved, but what it was, how it happened and what you did about it. This is why I retain my subscription to LP; when an issue arises you resolve it promptly and fully disclose what it was. I don’t require you to be perfect, but I do expect you to try to be, and I do expect you to own and correct issues as they occur.

    But I wish the response had come out sooner. Even a quick, interim response on your blog, just something along the lines of “We are aware of the problem, we don’t believe there’s a risk, and we’re investigating further” would have been so much better than a tweet I had to go hunting for and a bunch of media articles telling me the sky was falling.

  • Thorz says:

    Nice to have finally seen an official post with an explanation about these issues.
    It was stressing to read on many security pages what was happening and not have an official word from Lastpass. The next time a faster reaction would be much appreciated, thanks.
    I am glad that you took care of the problem. Keep up the good work.

  • Tim says:

    It would be nice to hear an overview of the internal security review process for newly added code to reduce the likelihood of future issues like this. What I want to see is that LastPass takes this failure seriously and future issues are being prevented, not just fixing things quickly when someone else finds them.

  • rindertb says:

    4.1.36 and 4.1.36a …

    • Amber Gott says:

      Sorry for the confusion, we’ve updated the post to clarify this. You should have version 4.1.36, Mozilla adds the “a” to indicate that the LastPass 4.x branch is in their dev channel. Once we officially retire 3.x in April, this will be gone.