LastPass finally fixes exploit that leaks your recently used credentials

LastPass Hack

Popular password manager LastPass has fixed a serious flaw in its latest update that potentially allowed a malicious website to access the last used credentials entered by the browser extension.

The clickjacking bug was discovered by Google Project Zero researcher Tavis Ormandy on August 30, part of the white-hat hack group devoted to finding bugs in software, reports ZDNet.

Clickjacking is what happens when a user is tricked into clicking something that’s disguised as a different element, thus accidentally revealing confidential information, or even take control.

“To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times,” LastPass acknowledged in a statement.

Noting that the issue was specific to Chrome and Opera, LastPass said it has deployed an update to all browsers out of precaution. The extension for Chrome and Opera should have the version 4.33.0, while the Firefox variant should be 4.33.4.2.

The details of the flaw — which have now been made public — reveals that it could’ve been exploited by executing a malicious JavaScript code which could be embedded on any website masked behind a Google Translate URL. The attacker could then trick users into visiting the link, and subsequently extract credentials from a previously visited site.

Although Ormandy labeled the bug as high severity, LastPass has tried to minimize its scope, stating the flaw “revealed a limited set of circumstances on specific browser extensions that could potentially allow an attacker to create a clickjacking scenario.”

Just because LastPass has a security flaw doesn’t mean password managers are bad for security. In reality, they are a much more secure alternative to storing them in the browser, from where they can be easily accessed by threat actors. However, bear in mind that not all password managers are created equal.

Ultimately, whether you’re using LastPass or otherwise, the same rule of caution applies: use two-factor authentication to secure your accounts (including password managers), set a unique password for each account, and never reuse your old passwords.

Leave a Reply

Your email address will not be published. Required fields are marked *

Sign Up To Access Your FREE Report!

To access our 2019 Ransomware Report, please enter your email address and we’ll send the download link immediately.