The bug has been found on the browser extensions of Chrome and Firefox. There is good news that chrome extension bug has been patched but Firefox extension remains open, putting all users at risk.
"This allows complete access to internal privileged LastPass RPC commands," the researcher said. "There are hundreds of internal LastPass RPCs, but the obviously bad ones are things copying and filling in passwords (copypass, fillform, etc)."
One unbelievable thing thing that Ormandy added is, LastPass team failed to reproduce the bug and said his exploit code is not working, however researcher was calling the Windows Calculator executable in his code, while LastPass was examining the code on a Mac.
And obviously calc.exe will not available on Mac. 😁😁😁
I found another bug in LastPass 4.1.35 (unpatched), allows stealing passwords for any domain. Full report will be on the way shortly. pic.twitter.com/9VkV7R3vud— Tavis Ormandy (@taviso) March 21, 2017
This is not the end, as Ormandy have found another critical bug on LastPass 4.1.35 (unpatched), that allows the stealing password for any domain. The full report is coming soon of this.