LastPass Firefox Extension 4.0 < 4.1.21a Message Hijacking
High Nessus Plugin ID 92660
SynopsisA password manager installed on the remote host is affected by a remote message hijacking vulnerability.
DescriptionAccording to its version, the LastPass Firefox extension installed on the remote Windows host is 4.0.x prior to 4.1.21a. It is, therefore, affected by a message hijacking vulnerability due to improper validation of messages sent between the extension and a privileged iframe. An unauthenticated, remote attacker can exploit this issue, by convincing a user into loading a specially crafted web page that programmatically clicks a LastPass modified input element, to take full control of the LastPass extension, including creating and deleting files, executing scripts, and disclosing passwords.
SolutionUpgrade to LastPass Firefox extension version 4.1.21a or later.