LastPass Employee Neglect Leads to Data Breach Through Plex Account
LastPass, a password manager that experienced two major data breaches last year, recently detailed the events leading to the second breach. A malicious party installed a keylogger onto a senior engineer’s home computer through a vulnerability in the personal cloud service, Plex. This allowed the attacker to break into corporate-level caches. However, the employee’s failure to update their Plex client was a contributory factor to the breach.
The exploit was due to a vulnerability that Plex disclosed on May 7, 2020, which the LastPass employee neglected to patch. The weakness allowed those with access to a server administrator’s Plex account to upload a malicious file using the Camera Upload feature. The exploit worked as the media server executed the file by overlapping server data directory locations with a library that allowed Camera Uploads. Plex Media Server v1.19.3 was released on the same day to resolve the issue.
LastPass declined to comment on the recent disclosures. It’s obvious from the revelations that the origins of the successful attack began with LastPass allowing a senior employee to access privileged workspaces through their home PC. This subsequently opened the door for the attacker to gain access to the Plex account and execute the exploit.
LastPass will need to undertake significant corrective action to restore trust in their password manager after these breaches and the new revelations.