• Popular password manager LastPass patched a security flaw that allowed access to credentials of the last logged in account.
  • This vulnerability has been fixed in the latest version of the application.

Vulnerability details

Tavis Ormandy, a Google Project Zero researcher, published a report that details the steps to reproduce the bug.

  • This bug is considered to be high severity by Ormandy because it works on the execution of JavaScript and does not require any user interaction.
  • The vulnerability can be exploited by luring the potential victim to a malicious website and extracting previously entered credentials from the browser extension.
  • Ormandy believes that exploiting this bug isn’t hard as an attacker could hide a malicious link behind a trusted URL such as Google Translate.
  • The bug was reported by Google on August 29, and the patch went live on September 13.
  • It was privately disclosed by Google and there is no evidence of any exploitation in the wild.

What did the LastPass team do?

Ferenc Kun, security engineering manager at LastPass said, “To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times. This exploit may result in the last site credentials filled by LastPass to be exposed. We quickly worked to develop a fix and verified the solution was comprehensive with Tavis,” in a blog published by the company.

  • The fix is available in the latest version, 4.33.0, released last week.
  • The blog also states that the bug was limited to Chrome and Opera browsers, but the update has been deployed to all browsers as a precaution.

What should you do?

Although the update should apply automatically, make sure you’re using the latest version as some browsers may disable automatic updates for extensions.

LastPass also recommends users to follow general best practices such as using unique passwords for different sites, enabling multi-factor authentication, and not revealing the password manager’s master password to anyone.

Cyware Publisher