The test page is still vulnerable for me. https://lock.cmpxchg8b.com/SaiGhij5/la... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

joshschreuder on March 21, 2017 | parent | context | favorite | on: LastPass RCE vulnerability fixed

The test page is still vulnerable for me.

https://lock.cmpxchg8b.com/SaiGhij5/lastpass.html

  Chrome 57.0.2987.110 (64-bit)
  Version: 4.1.42
  Built: Thu Mar 09 2017 12:40:16 GMT-0500 (EST)
  Binary Component: true (Native Messaging version 4.1.34, built Jan 11 2017 01:45:24)

Any idea why? I thought no user action was required? No custom error message for NXDOMAIN (I think?), I see the Lastpass site, then calc.exe opens.

https://twitter.com/LastPass/status/844176201392504834

shawnz on March 22, 2017 | [–]

Still works for me too. I guess I'm disabling the extension for now.

joshschreuder on March 23, 2017 | [–]

Just tried again and they've pulled down the website, so the exploit is no longer working.

Consider applying for YC's Spring batch! Applications are open till Feb 11.
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact