Failure to implement three-year-old Plex update led to LastPass security breach

Share post:

One of the two significant security breaches that affected LastPass last year could have been avoided with a three-year-old Plex update. This was revealed when more details about the second incident were revealed.

As a result of an exploit in Plex, a cloud storage service for movie storage and streaming, a malicious party was able to install a keylogger on a senior engineer’s home computer and access corporate-level caches. However, it appears that the engineer was also involved in this tragic accident.

Plex has disclosed that the previously stated attack exploited a flaw that was first publicly disclosed on May 7, 2020. And the LastPass employee whose computer was compromised never upgraded their client to deploy the fix.

By interlacing the locations of the server data directory and a library that allowed Camera Uploads, people with access to a server administrator’s Plex account could upload a malicious program through the Camera Upload functionality and have the media server run it.

The flaw allowed those with access to a server administrator’s Plex account to upload a malicious file via the Camera Upload feature and have the media server execute it by overlapping the locations of the server data directory with a library that allowed Camera Uploads. To close the gap, the company released Plex Media Server v1.19.3 the same day.

The sources for this piece include an article in AndroidPolice.

SUBSCRIBE NOW

Related articles

Hackers Plant False Memories in ChatGPT to Steal User Data

A security researcher has uncovered a vulnerability in ChatGPT that could allow hackers to store false information and...

“Octo2” Trojan Targets Bank Accounts by Posing as VPN or Chrome Apps on Android

A new malware variant called “Octo2” is spreading across Android devices by posing as popular apps like NordVPN...

Evilginx – Open source tool can bypass Multi-Factor Authentication (MFA)

Security vendor Abnormal Security is reporting a new cybersecurity tool that is gaining traction among cybercriminals. The tool,...

Kaspersky’s exit from US market frightens some customers

Kaspersky, the Russian cybersecurity firm, has unexpectedly removed its antivirus software from U.S. customers' computers, replacing it with...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways