One of the two significant security breaches that affected LastPass last year could have been avoided with a three-year-old Plex update. This was revealed when more details about the second incident were revealed.
As a result of an exploit in Plex, a cloud storage service for movie storage and streaming, a malicious party was able to install a keylogger on a senior engineer’s home computer and access corporate-level caches. However, it appears that the engineer was also involved in this tragic accident.
Plex has disclosed that the previously stated attack exploited a flaw that was first publicly disclosed on May 7, 2020. And the LastPass employee whose computer was compromised never upgraded their client to deploy the fix.
By interlacing the locations of the server data directory and a library that allowed Camera Uploads, people with access to a server administrator’s Plex account could upload a malicious program through the Camera Upload functionality and have the media server run it.
The flaw allowed those with access to a server administrator’s Plex account to upload a malicious file via the Camera Upload feature and have the media server execute it by overlapping the locations of the server data directory with a library that allowed Camera Uploads. To close the gap, the company released Plex Media Server v1.19.3 the same day.
The sources for this piece include an article in AndroidPolice.