LastPass hack used Plex vulnerability that was patched three years agomarzec 06, 2023 09:09
Last November's LastPass hack exploited a vulnerability in Plex that was already patched in May 2020 PCMag discovered. The hack could have been prevented if the employee on whose home computer the malware was installed had updated the software.
It concerns the CVE-2020-5741 Vulnerability in the Plex Media Server software PCMag writes. The Camera Upload feature allowed attackers to force the server to execute malicious code. To do this the attackers must already have administrative access to the LastPass employee's Plex account. It is not known how they succeeded. After the LastPass devops programmer installed the malware the hackers were able to record the victim's keystrokes and learn the master password. The LastPass employee subsequently approved the multi-factor authentication request himself.
In a response Plex tells PCMag that a patch for the vulnerability was released in May 2020 but that the employee in question never upgraded the software has. Since then 75 new software versions of Plex have been released. It is unclear why the programmer has not updated the software in all this time especially since many of the updates are supposed to happen automatically.
Through this senior devops programmer the attackers gained access to the cloudback last year -ups of LastPass which contained customer data such as mfa seeds and identifiable info -hacken.html">that's what LastPass announced last week. Also five blobs were downloaded from backups of customers who had accounts between August 20 and September 8. Those blobs also contained encrypted fields for passwords and unencrypted fields for URL names for example.