LastPass breach could’ve been able to stop a 3-year-old Plex update
Lastpass is on a break from being declared one of the best password managers out there. This occurred after investigating two high-level data breaches in the previous year. We have gotten a detailed report on the second incident during the past week. This week, further information about the second incident came to light. Using an exploit in Plex, a personal cloud service for video storage and streaming, a malicious party was able to install a keylogger on a senior engineer’s home computer and access corporate-level caches as a result. However, it turns out that the engineer also contributed significantly to this catastrophic catastrophe.
As revealed by Plex during questions, hackers have taken advantage of a vulnerability that was disclosed back in 2020. According to the firm, the LastPass employee never updated their client to deploy the patch for whatever reason, according to PCMag.
By overlapping the locations of the server data directory and a library that permitted Camera Uploads, the flaw allowed individuals with login credentials to a server administrator’s Plex account to upload a malicious file through the Camera Upload function and have the media server execute it.
That next day, the company published Plex Media Server v1.19.3 to close the hole.
A LastPass representative stated, “For reference, the version that addressed this issue was about 75 versions ago.
LastPass chose not to respond to the fresh information
What’s obvious to us is that the series of events that resulted in this breach began at the top: LastPass allowed this senior employee to access restricted work areas through their personal computer, creating a vulnerability that could have allowed someone to access this employee’s Plex account, run a long-patched exploit that was successful because of the aforementioned negligence, and then gain full access to those restricted work areas.
Each step in this progression was initiated by a choice, which may have been justifiable at the time for one reason or another. But, given the current state of affairs, LastPass will require a larger shovel to dig itself out of this hole.
RS News or Research Snipers focuses on technology news with a special focus on mobile technology, tech companies, and the latest trends in the technology industry. RS news has vast experience in covering the latest stories in technology.