All of your LastPass browser extensions should be updated to version 4.1.44 or higher
Given the severity, complete credential theft and possibly? remote code execution, what is the justification for keeping it as the default for new installs and not updating or disabling existing installs?
What has been mentioned before is that 4.x has not passed your review. That does not answer my question.
Even if you won’t allow 4.x to release, you have the means to block 3.3.4 (for new installs and in existing ones). Given the severity of the vulnerability why has that not been done?
Are the remaining issues preventing the release of 4.x more severe than the vulnerability? Obviously not. So why hold it up?
Either choice would be better than standing by, being fully cognizant that Fx users’ credentials are completely exposed.
If there is a security issue, it should be reported.
If the security issue has been reported by 3rd parties, then it should be reported to AMO.
If the security isseu has been reported by the developer, then the developer has the power to disable the addon in addition to reporting it to AMO.
I don’t know what you’re asking. I linked to the lastpass blog post. It explains the vulnerability, links to the Tavis Ormandy report, and states unequivocally that
All of your LastPass browser extensions should be updated to version 4.1.44 or higher
What else does AMO need?
the developer has the power to disable the addon
Well, evidently lastpass doesn’t care about their Fx users, does Mozilla?
If developer is reporting the security issue, then the developer should upload a new version to AMO.
If a version has security problems, the DEVELOPER should disable that version on AMO.
If they have not, then you should ask the developer for the reason.
AMO will disable a version if there are reports from users. AMO does not (can not) check what is said on developers sites.
The questions in this posts are misdirected. The developer should have been able to answer the queries.
If a user wants to report a security issue that the developer has neglected to deal with (meaning disable the affected versions), then there is a different reporting procedure.
Finally, their version had bugs on Firefox. They finally fixed and uploaded Version 4.1.49 · May 3, 2017 · which was Approved and is online.