According to Ormandy, an attacker could hide a malicious link behind a Google Translate users, tricking users to visiting the link then he/she can now be able to extract credentials used on the last site.
I think it’s fair to call this “High” severity, even if it won’t work for *all* URLs,” Ormandy wrote in Google’s Project Zero reporting site.
LastPass could leak the last used credentials due to a cache not being updated. This was because you can bypass the tab credential cache being populated by including the login form in an unexpected way! https://t.co/bfLdDzSWS5
— Tavis Ormandy (@taviso) September 16, 2019
If you use LastPass as your password manager, there is no need to worry now. LastPass stated they have already patched the vulnerability. You are advised to update to the latest version 4.33.0, which was released last week on September 12. The update is both available for Chrome, Firefox, Safari, Edge, Internet Explorer and Opera.
To view your extension version, navigate to your browser extension manager page and tap on LastPass. Below the app’s description, you will be able to see the version as well.
Keep in mind that the researcher has published the details of the security bug already, which guides any malicious actors who want to sniff on your passwords.
Does that make Password Managers Bad?
If you are not using a password manager already, it is still advisable to use one. Although Password managers, just like any other software programs, are also vulnerable to attacks. But from a security perspective, they can save you a lot in your struggles to empress secure and strong passwords.