Security Alerts & News
by Tymoteusz A. Góral

History
#1221 LastPass: design flaw in communication between privileged and unprivileged components
I'm looking at LastPass 4.1.20a on Windows, and can see some problems with the
design. It looks like the addon works by injecting elements and event handlers
into the page.

<input> boxes are modified with some css, and a click event handler is added
that instructs the addon to create a privileged iframe. A page can click the
LastPass icon programatically with javascript by creating a MouseEvent() with
the right x:y coordinates. Normally a page would not be permitted to navigate
to a resource:// url, but this just asks the add-on to do it.
Read more
#1225 If you get caught using a VPN in the UAE, you'll face fines of up to $545,000
#1224 Protecting Android with more Linux kernel defenses
#1223 Parental control software for Windows put to the test
#1222 Telegram app vuln recorded anything macOS users pasted—even in secret
#1221 LastPass: design flaw in communication between privileged and unprivileged components
#1220 LastPass unpatched zero-day vulnerability gives hackers access to your account
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12