Closed
Bug 1355555
Opened 9 years ago
Closed 8 years ago
lastpass 3.3.4 should be disabled
Categories
(addons.mozilla.org :: Security, enhancement)
addons.mozilla.org
Security
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: ephbase-moz, Unassigned)
Details
https://blog.lastpass.com/2017/03/security-update-for-the-lastpass-extension.html/
It has a major vulnerability that's fixed in 4.x, so either 4.x should be released or 3.3.4 disabled.
|
||
Comment 1•9 years ago
|
||
Can you please provide that source that confirms that 3.x is affected by that vulnerability?
|
Reporter | |
Comment 2•9 years ago
|
||
The blog post says
> Please ensure you are running the latest version (4.1.44 or higher)
For a more definitive statement please confirm with lastpass.
|
|
||
Comment 3•9 years ago
|
||
3.x and 4.x are vastly different, so issues in 4.x don't necessarily apply to 3.x.
I would WONTFIX this unless someone can confirm that 3.x is actually affected. Especially, since 4.x is around the corner...
|
|
Reporter | |
Comment 4•9 years ago
|
||
from their blog
> All of your LastPass browser extensions should be updated to version 4.1.44 or higher
They say all. They are undoubtedly aware that 3.3.4 being the Fx install default, is widely deployed. So why use the word all to describe "all except a major chunk of 3.3.4 installs in Firefox".
But again if "all" is unclear, ask them for a definitive confirmation.
|
|
Reporter | |
Comment 5•9 years ago
|
||
What's the status of this?
Are you convinced by "All of your LastPass browser extensions should be updated to version 4.1.44 or higher"?
If not are you going to check with them?
Keep in mind that on march 31st the fix was released and the details were published. So if 3.3.4 is vulnerable the firefox lastpass users who have it installed (which is likely a majority since it's still the version that gets installed form the add-on manager and amo) are exposed to complete credential theft and possibly also remote code execution. As vulnerabilities go this is almost as bad as it gets.
Meanwhile in chrome land, it was immediately auto updated. In the firefox ecosystem you get exposed for weeks to horrible vulnerabilities because neither lastpass nor mozilla seem to give an eff. Which browser would you choose?
|
|
Reporter | |
Comment 7•9 years ago
|
||
So you found the time to report my comment and have it deleted, but not to protect fx users from a major vulnerability. That just makes my point. Perhaps you can use the rest of the time you're not protecting users, to work on getting me banned.
|
||
Comment 8•8 years ago
|
||
Closing this bug, since it related to old versions of LastPass that don't work on current versions of Firefox.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•