LastPass quietly fixed a rather severe security bug

We’re strong advocates for the use of a password manager but news of a security bug present in LastPass has us just a little bit worried.

Last week, LastPass fixed a bug present in version 4.33.0 of its software in which it was possible for an attacker to access a user’s password.

The bug was discovered by security researcher at Google’s Project Zero, Tavis Ormandy.

The researcher found that using malicious JavaScript, an attacker could glean credentials from previous websites a LastPass user had visited.

While a user would have to visit a malicious website running the code, it isn’t all that hard to obfuscate a URL so that a user clicks the link and unknowingly falls prey to malicious code.

Thankfully, Ormandy disclosed the bug to LastPass and it has since been fixed. The security researcher has however, typed up how the bug worked for you to take a look at it.

For the simplified version, LastPass explained, “To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times. This exploit may result in the last site credentials filled by LastPass to be exposed

LastPass said in a blog post that even though the bug only affected Chrome and Opera browsers, it has deployed the path to all browsers, just in case.

While this is a bit of a fumble on LastPass’ part, we are still inclined to recommend using a password manager over reusing passwords, storing them in the browser or writing them down in your diary.

[Image – CC 0 Pixabay]


About Author


Related News

Subscribe to
our newsletters

Select the newsletter you would like to receive: