Developers of the popular LastPass password manager rushed to push out a fix to solve a serious vulnerability that could have allowed attackers to steal users’ passwords or execute malicious code on their computers.
The vulnerability was discovered by Google security researcher Tavis Ormandy and was reported to LastPass on Monday. It affected the browser extensions installed by the service’s users for Google Chrome, Mozilla Firefox and Microsoft Edge.
According to in the Google Project Zero bug tracker, the vulnerability could have given attackers access to internal commands inside the LastPass extension. Those are the commands used by the extension to copy passwords or fill in web forms using information stored in the user’s secure vault.
If the extension’s binary component is installed, the “openattach” command can be used to run arbitrary code on the computer, Ormandy said on the bug tracker.
. “No password changes are required of users at this time.”