Failure to implement three-year-old Plex update led to LastPass security breach

Share post:

One of the two significant security breaches that affected LastPass last year could have been avoided with a three-year-old Plex update. This was revealed when more details about the second incident were revealed.

As a result of an exploit in Plex, a cloud storage service for movie storage and streaming, a malicious party was able to install a keylogger on a senior engineer’s home computer and access corporate-level caches. However, it appears that the engineer was also involved in this tragic accident.

Plex has disclosed that the previously stated attack exploited a flaw that was first publicly disclosed on May 7, 2020. And the LastPass employee whose computer was compromised never upgraded their client to deploy the fix.

By interlacing the locations of the server data directory and a library that allowed Camera Uploads, people with access to a server administrator’s Plex account could upload a malicious program through the Camera Upload functionality and have the media server run it.

The flaw allowed those with access to a server administrator’s Plex account to upload a malicious file via the Camera Upload feature and have the media server execute it by overlapping the locations of the server data directory with a library that allowed Camera Uploads. To close the gap, the company released Plex Media Server v1.19.3 the same day.

The sources for this piece include an article in AndroidPolice.

SUBSCRIBE NOW

Related articles

Cyber Security Today, June 12, 2024 – More Snowflake storage victims found, Microsoft issues new Windows patches,

More Snowflake storage victims found, Microsoft issues new Windows patches, and more. Welcome to Cyber Security Today. It's Wednesday,...

Former OpenAI employee alleges plan for AGI bidding war

In a recent interview, former OpenAI safety researcher Leopold Aschenbrenner made startling claims about his ex-employer's strategy regarding...

Malicious code in millions of installs traced to Microsoft Visual Studio

A group of Israeli researchers found thousands of potentially harmful extensions on the Visual Studio Code (VSCode) Marketplace,...

Cyber Security Today, June 10, 2024 – Microsoft backs down on Recall

Microsoft backs down on Recall. Welcome to Cyber Security Today. It's Monday, June 10th, 2024. I'm Howard Solomon, contributing...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways