A 3-Year Old Plex Update Could’ve Stopped LastPass Breach: Here’s How?

For all those people who don’t know, LastPass is actually a popular password management service that allows its users to store and manage their passwords in a secure vault. The point worth mentioning here is that the LastPass breach occurred back in 2015. It involved unauthorized access to LastPass users’ email addresses, password reminders, and encrypted master passwords. It followed two massive data breaches last year. During the second incident last week, a malicious party installed a keylogger onto a senior engineer’s home computer using an exploit in Plex. Now, what’s Plex? It is the personal cloud service for movie storage and streaming which made it able to break into corporate-level caches as a result of the exploit. However, reports claim that the engineer had a big part to play in this major failure as well. So, let’s dig into it.

 LastPass Engineer Played A Big Role In LastPass Breach

Plex has recently revealed that the exploit took advantage of a vulnerability that was disclosed back on May 7, 2020. The company has even told that, for some reason, the LastPass employee never updated their client to apply the patch. As a result, the loophole allowed all the people with access to a server administrator’s Plex account in order to upload a malicious file through the Camera Upload feature. Moreover, it further resulted in overlapping the locations of the server data directory with a library that allowed Camera Uploads, to have the media server execute it.

The company even released Plex Media Server v1.19.3 on the very same day to patch the gap. A LastPass spokesperson said:

“For reference, the version that addressed this exploit was roughly 75 versions ago,”

However, LastPass declined to comment on the newly revealed information. What’s surprising for us is that the chain of events that led to this breach started right from the top. There is no doubt that LastPass allowed senior employees to access privileged work surfaces through their personal computers. He opened up the possibility for someone to gain access to this employee’s Plex account in order to execute a long-patched exploit that worked due to negligence and resulted in unfettered access to the work surfaces. The point notable here is that the way things have developed, LastPass needs a bigger shovel to dig itself out of this hole.

Also Read: Everything We Know So Far Regarding Google Pixel Watch 2 – (phoneworld.com.pk)