Why are you serving a vulnerable lastpass version (3.3.4)?

ephbase-moz · May 3, 2017, 4:04pm

According to Lastpass, 3.3.4 is vulnerable:

All of your LastPass browser extensions should be updated to version 4.1.44 or higher

Given the severity, complete credential theft and possibly? remote code execution, what is the justification for keeping it as the default for new installs and not updating or disabling existing installs?

erosman · May 3, 2017, 6:39pm

It has been mentioned before:

https://discourse.mozilla-community.org/search?q=lastpass

ephbase-moz · May 4, 2017, 1:13am

What has been mentioned before is that 4.x has not passed your review. That does not answer my question.

Even if you won’t allow 4.x to release, you have the means to block 3.3.4 (for new installs and in existing ones). Given the severity of the vulnerability why has that not been done?
Are the remaining issues preventing the release of 4.x more severe than the vulnerability? Obviously not. So why hold it up?

Either choice would be better than standing by, being fully cognizant that Fx users’ credentials are completely exposed.

erosman · May 4, 2017, 4:49am

@jorgev might be able to answer that.

If there is a security issue, it should be reported.

If the security issue has been reported by 3rd parties, then it should be reported to AMO.
If the security isseu has been reported by the developer, then the developer has the power to disable the addon in addition to reporting it to AMO.

Who has reported the security issue and to whom?

ephbase-moz · May 4, 2017, 4:01pm

Who has reported the security issue and to whom?

I don’t know what you’re asking. I linked to the lastpass blog post. It explains the vulnerability, links to the Tavis Ormandy report, and states unequivocally that

All of your LastPass browser extensions should be updated to version 4.1.44 or higher

What else does AMO need?

the developer has the power to disable the addon

Well, evidently lastpass doesn’t care about their Fx users, does Mozilla?

erosman · May 5, 2017, 7:05am

If developer is reporting the security issue, then the developer should upload a new version to AMO.

If a version has security problems, the DEVELOPER should disable that version on AMO.
If they have not, then you should ask the developer for the reason.

AMO will disable a version if there are reports from users. AMO does not (can not) check what is said on developers sites.

The questions in this posts are misdirected. The developer should have been able to answer the queries.

If a user wants to report a security issue that the developer has neglected to deal with (meaning disable the affected versions), then there is a different reporting procedure.

Finally, their version had bugs on Firefox. They finally fixed and uploaded Version 4.1.49 · May 3, 2017 · which was Approved and is online.

erosman · May 12, 2017, 4:44am

After all that … there are a LOT reports by users who have problems with v4 and are rolling back to 3.3.4