LastPass Fixes a bug that could let Malicious website Extract your last used Password
LastPass has released details of a vulnerability on the platform that exposed credentials used on a previous website. ZDNet reported that the bug was discovered by a security researcher Tavis Ormandy who is part of Google’s Project Zero project – Google’s elite security and bug hunting team last month. The bug relies solely on executable JavaScript code and needs no user interaction to do its job.
According to Ormandy, an attacker could hide a malicious link behind a Google Translate users, tricking users to visiting the link then he/she can now be able to extract credentials used on the last site.
I think it’s fair to call this “High” severity, even if it won’t work for *all* URLs,” Ormandy wrote in Google’s Project Zero reporting site.
LastPass could leak the last used credentials due to a cache not being updated. This was because you can bypass the tab credential cache being populated by including the login form in an unexpected way! https://t.co/bfLdDzSWS5
— Tavis Ormandy (@taviso) September 16, 2019
If you use LastPass as your password manager, there is no need to worry now. LastPass stated they have already patched the vulnerability. You are advised to update to the latest version 4.33.0, which was released last week on September 12. The update is both available for Chrome, Firefox, Safari, Edge, Internet Explorer and Opera.
To view your extension version, navigate to your browser extension manager page and tap on LastPass. Below the app’s description, you will be able to see the version as well.
Keep in mind that the researcher has published the details of the security bug already, which guides any malicious actors who want to sniff on your passwords.
Does that make Password Managers Bad?
If you are not using a password manager already, it is still advisable to use one. Although Password managers, just like any other software programs, are also vulnerable to attacks. But from a security perspective, they can save you a lot in your struggles to empress secure and strong passwords.
Follow us on Telegram, Twitter, Facebook, or subscribe to our weekly newsletter to ensure you don’t miss out on any future updates.
