 So, LastPass had another flaw, and it all started with an aha moment from our security researcher, Tavis Harmandy over at Google's Project Zero. He writes here, I had an epiphany in the shower this morning and realized how to get code exec in LastPass 4.1.43, full report and exploit on the way. So Tavis has a shower thought that leads to this. And this is an interesting flaw. And the flaw probably exists a lot of places, if I had to guess, and we're probably going to see a lot of companies, because LastPass being called out on this, we may see a change in the way Java is implemented by a lot of security companies or companies that care about this particular flaw. So a major part of the LastPass Passer Manager is content scripts, additional purpose JavaScript that is injected into pages and can change or monitor content. LastPass uses content scripts to search web pages for forms, additional UI elements, and so on. It is safe to have content scripts with higher privilege than the page than are re-injected into as a concept called isolated worlds. An isolated world is a JavaScript execution environment that shares the same DOM, but not variables and functions so on. Okay, what they're saying here is that there is a LastPass runs at a higher level than the JavaScript inside there, but can manipulate the web page. That's great. This is where the flaw comes in. Now most programming languages require you to declare your variables prior to use. So you have to implicitly declare what the variable are, type in definitions of the variables before you use them in code. Java lets you do that on a fly. It's kind of a feature. So you can just write in a variable and start using it. Well, LastPass doesn't declare their variables because they're using Java. Now it doesn't mean you can't in Java. It just simply means that you don't have to. So what they did was use variables, whether or not they existed as part of the code flow. And the other pages don't technically have permission. So conceptually you're going, well, the other lower levels of Java can't manipulate the higher level of Java that the isolated world that LastPass runs in, except it can in a certain way. If the variable's been set, so I say var trusted equals false. So we have this variable where we're not trusted and we're going to make it equal false. That means something in the script can't change that variable because it's not been declared. So they may be able to read the variable, they go, those sites not trusted. But when you don't declare your variables, we could flip a variable with the lower level permission because it doesn't exist. So we're intentionally creating it at the lower level. And this is partly because Java doesn't have clear separation of namespaces in the way other languages do. And here's all the different variables you can set in there. And if they're not declared, whatever these things are, like for example, verify a multi-factor, multi-factor auth, multi-factor repomp, go home. So some of these other features, and these are just a few of them, if they're not declared, the lower level script can set those and then change, for example, the settings in LastPass, because LastPass is reading the variables. So if the lower level one executes and creates a variable prior to LastPass declaration of said variable, you could have an exploit. So it's really clever, and I'm willing to bet a lot of companies are doing this. So this is a perfect concept that was disclosed only to LastPass. Once they got it all done, they fixed it and away they go. So this will work as in it is, you have to have what they call a binary component installed, so it's also in a non-trivial hack. So by default, you don't have the binary component in LastPass installed. But this comes down to the way LastPass responded, which was exactly how we wanted them to. They went through, they fixed it, wasn't real hard to fix, you had to declare all your variables, a little bit hard to fix. There's a lot of variables they had to declare. So they went through, updated the extension, updated all of the isolated worlds and trusted pages, functions, and now everything's fixed, which is great. Now, the answer, I hear a lot of people going, well, I use XYZ, whatever password manager they say, because it hasn't found an exploit. Well, there may not be a Tavis or maybe looking at it. Is there a security researchers bashing away at that product? The reason LastPass gets its names and lights all the time is because they are by far the largest password manager. So them being the biggest means it has the largest number of users that can be affected by a flaw in the system. I'm willing to bet the other systems probably wrote their Java implementations in the same way and the only way to, we'll probably never find out because they're all closed source, but maybe updates come from some of the other password managers. So it's not that other ones are more secure, less secure, just it comes down to whether or not there's people pounding away at them. And when you have some of the top researchers like Tavis pounding away on a product, it's because he cares about that product. He probably could just hone some other one, but if it had no user base, what would be the point? It wouldn't really get your name and lights at all. It wouldn't be newsworthy. It's newsworthy for LastPass because they're so big. So if you have some other security tool that like 10 people are using and go into what's never been exploited, never been exploited is never means secure. It may mean untested, it might be secure, but until it's gone through a rigorous testing and rigorous scrutiny by security researchers, I don't really consider it good. I still continue to lose LastPass because, one, they're very responsive to these types of bugs. They don't mind that Tavis starts out as a shower thought, CVE. He follows proper disclosure. We're really happy Tavis is one of the good guys in this bug finding game that's being played every single day on the internet. And there was no reports of this being used in the wild as an exploit. So that being said, I'm glad they fixed it. And that's just kind of a quick update. Now, this is different than the one I did before. So this is a secondary problem with LastPass. The first one was code execution based on a manifest file. That was the one, the previous video, this video is about the security update for undeclared Java variables. And, you know, it's really interesting. It's, it would have required someone to inject script to lie to LastPass, have a fundamental understanding of how to do it. But it can be done. So it's, but it can't be done anymore because it's been fixed. LastPass was right away on it. So if there's some reason you're forcing LastPass to an older version, I don't even know if you can do that. Don't to make sure you have everything up to date and you're safe from this. So if you like the content here, like and subscribe, leave comments below if you have questions. Hopefully that explanation made some sense. Thank you.