Subscribe

Failure to implement three-year-old Plex update led to LastPass security breach

March 6, 2023

One of the two significant security breaches that affected LastPass last year could have been avoided with a three-year-old Plex update. This was revealed when more details about the second incident were revealed.

As a result of an exploit in Plex, a cloud storage service for movie storage and streaming, a malicious party was able to install a keylogger on a senior engineer’s home computer and access corporate-level caches. However, it appears that the engineer was also involved in this tragic accident.

Plex has disclosed that the previously stated attack exploited a flaw that was first publicly disclosed on May 7, 2020. And the LastPass employee whose computer was compromised never upgraded their client to deploy the fix.

By interlacing the locations of the server data directory and a library that allowed Camera Uploads, people with access to a server administrator’s Plex account could upload a malicious program through the Camera Upload functionality and have the media server run it.

The flaw allowed those with access to a server administrator’s Plex account to upload a malicious file via the Camera Upload feature and have the media server execute it by overlapping the locations of the server data directory with a library that allowed Camera Uploads. To close the gap, the company released Plex Media Server v1.19.3 the same day.

The sources for this piece include an article in AndroidPolice.

Top Stories

Cisco breach exposes 300+ repos after supply chain attack

OpenAI cuts Sora with $1M-a-day costs to free up resources for core AI models

AI boom faces new constraint as helium disruption slows chip production

New Google update targets sensitive data exposure in search results

GitHub Copilot to train on user data by default 

Microsoft pulls Copilot Chat from core Office apps for enterprise customers

Related Articles

Cisco breach exposes 300+ repos after supply chain attack

April 1, 2026 Cisco suffered a cyberattack after attackers used stolen credentials from a compromised developer tool to access its more...

New Google update targets sensitive data exposure in search results

March 30, 2026 Google has expanded its “Results about you” tool, allowing users to remove highly sensitive personal data, including more...

GitHub Copilot to train on user data by default 

March 27, 2026 Microsoft is updating GitHub Copilot to train on real-world developer interactions, expanding beyond public code datasets to more...

Researcher Says “APT” Label No Longer Reflects the Threat Landscape

March 23, 2026 David Shipley, co-host of Cybersecurity today is covering RSAC for Tech Newsday and Cybersecurity Today.  SAN FRANCISCO more...

Picture of TND Newsdesk

TND Newsdesk

Picture of TND Newsdesk

TND Newsdesk

Jim Love

Jim is an author and podcast host with over 40 years in technology.

Share:
Facebook
Twitter
LinkedIn
Tech News Day is a daily publication featuring key news stories about technology and how it affects businesses.

Follow Us

X-twitter Linkedin-in

Popular categories

Tech News Delivered

New, Relevant Tech Stories. Our selection is done by industry professionals – executives like you who pick the top stories for that day. Our writers summarize them to give you the key takeaways.
Subscribe
© 2025 TECHNEWSDAY. All rights reserved.