After not one, but two significant security breaches last year, LastPass lost its great name and went from being one of the best security tools available to losing its status.
Last week, more information about the second incident came to light. Through an exploit in Plex, a cloud storage service for movie storage and streaming, a malicious party was able to install a keylogger on a senior engineer’s home computer and access corporate-level caches as a result. However, it appears that the engineer also contributed significantly to this tragic catastrophe.
Plex has disclosed that the abovementioned attack made use of a fault that was first publicly revealed on May 7, 2020. According to the firm, the LastPass worker never upgraded their client to deploy the fix for whatever reason, according to PCMag.
By overlapping the locations of the server data directory and a library that permitted Camera Uploads, the flaw allowed people who have access to a server administrator’s Plex account to upload a malicious program through the Camera Upload functionality and have the media server run it.
That next day, the company published Plex Media Server v1.19.3 to close the vulnerability. “For reference, the version that addressed this exploit was roughly 75 versions ago,” a LastPass spokesperson said. LastPass chose not to respond to the fresh information.
What’s obvious to us is that the series of events that resulted in this breach began at the pinnacle: LastPass allowed this senior staff member to connect restricted work areas through their personal computer, creating a vulnerability that could have permitted someone to access this employee’s Plex account, run a long-patched loophole that was successful because of the aforementioned’s negligence, and then gain complete access to those restricted work areas.
Each step in this process was initiated by a choice, which may have been acceptable at the time for one reason or another. But, given the current state of affairs, LastPass will require a larger shovel to dig itself out of this grave.
LastPass is a password manager that is available as a paid subscription as well as a free version with fewer features. LastPass’ standard edition provides a web interface in addition to extensions for numerous web browsers and apps for numerous devices.
Support for bookmarklets is also available. In October 2015, LogMeIn, Inc. (now GoTo) purchased LastPass. On December 14, 2021, LogMeIn revealed that LastPass would become a separate entity and advance the delivery of its software.