They haven't fixed the previous vulnerability yet, I think due to slow Mozilla addon review process.
Oops, new LastPass bug that affects 4.1.42 (Chrome&FF). RCE if you use the "Binary Component", otherwise can steal pwds. Full report on way.pic.twitter.com/y92vm3Ibxd
-
-
-
Do you happen to know if Firefox add-ons get updated automatically? Trying to assess how much sense crafting a 0patch will make.
-
I believe they do, after a long manual review process by Mozilla staff.
-
Makes sense (both auto update and Mozilla's review)
End of conversation
New conversation -
-
-
I have a full exploit working without any prompts on Windows, could be made to work on other platforms. Sent details to LastPass.
-
Full exploit is two lines of javascript.
#sigh ¯\_(ツ)_/¯ -
Makes me wonder what the shortest exploit in the history of computing is, in terms of number of bytes.
-
I don't know, but I got a local root exploit for Ubuntu to fit in a tweet once
https://twitter.com/taviso/status/601370527437967360 … -
We tried to make
#tweetsploits a thing at one point...https://twitter.com/jonoberheide/status/18009527979 … -
That reminds me, maybe Kingcope's old solaris `-froot` exploit (CVE-2007-0882) would be the shortest...
- 1 more reply
New conversation -
-
-
is that windows only?
-
Nope, verified on Linux.
-
cool, cheers for the response.
End of conversation
New conversation -
-
-
Remote Code Execution.
-
@nnoouuvv Thanks!
End of conversation
New conversation -
-
why are people still using LastPass?!
-
greater userbase=more prone to being assessed=more vulns found, so it doesnt mean other pwd managers are any safer.
-
Also their response time is usually pretty good
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.