Tavis Ormandy, a Google Project Zero researcher, published a report that details the steps to reproduce the bug.
What did the LastPass team do?
Ferenc Kun, security engineering manager at LastPass said, “To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times. This exploit may result in the last site credentials filled by LastPass to be exposed. We quickly worked to develop a fix and verified the solution was comprehensive with Tavis,” in a blog published by the company.
What should you do?
Although the update should apply automatically, make sure you’re using the latest version as some browsers may disable automatic updates for extensions.
LastPass also recommends users to follow general best practices such as using unique passwords for different sites, enabling multi-factor authentication, and not revealing the password manager’s master password to anyone.