A recent discovery has found that there is a remote execution vulnerability on LastPass’ Chrome extension, that allows complete access to internal privilege LastPass RPC commands. This effectively could mean that victims passwords could be stolen by hackers. Lee Munson, Security Researcher at Comparitech.com commented below.
Lee Munson, Security Researcher at Comparitech.com:
“LastPass may have had a flaw, albeit one that was quickly patched, but that doesn’t mean password managers should be dismissed as a bad idea by the masses.
On the contrary, despite bugs and vulnerabilities being present in just about all software, the risks here are minimal, especially given how keen the security community is to look for them in these types of applications.
The bigger risk, I would argue, comes from not using a password manager – namely that the user ends up replicating the same password across all the online accounts that they use.
As in this case, the best defence against such issues is multiple eyeballs on the code. While the security community does a pretty good job of hunting vulnerabilities just because, a healthy bug bounty program may offer a higher level of motivation to white hats.
The reason why remote code execution bugs keep on cropping up is the same one that pervades all areas of security, namely the human, otherwise known as the weakest link. Non-adherence to secure coding practises is one side of the coin, our fallibility the other.
That’s why it is so essential that companies continually test their software, long before it goes into production. While there are never any guarantees, simple steps such as requiring someone not associated with a project to act as its code reviewer, as well as external testing, can help mitigate the risks here.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.