TechSpot

LastPass immediately patches new vulnerabilities discovered by users

By Scorpus
Jul 28, 2016
Post New Reply
  1. Over the past few days, reports have begun to surface about known, major vulnerabilities in password manager LastPass. Today, the company has released a statement regarding these vulnerabilities, revealing that they were addressed immediately.

    The first and most recent vulnerability was discovered by Google Security Team researcher Tavis Ormandy. He uncovered and documented a message-hijacking bug in the LastPass Firefox addon, which could lead to the execution of actions in the background without the user's knowledge. This vulnerability was disclosed to LastPass and fixed within hours, resulting in an update for Firefox users.

    The second vulnerability has been making headlines recently due to a post by security researcher Mathias Karlsson titled "How I made LastPass give me all your passwords". However, as LastPass notes, the issue was disclosed to LastPass more than a year ago and subsequently addressed at the time through an update to all browser extensions.

    The vulnerability in question surrounded the URL parsing code in LastPass' extension, which allowed Karlsson to steal passwords that were mistakenly autofilled on malicious websites. This was a critical security issue, and LastPass published an update to their extension that addressed it in under a day.

    In their post on the matter, LastPass reminds people to be wary of phishing attacks, and suggests good security practices like using two-factor authentication and unique passwords for every account.

    Permalink to story.

     
  2. bexwhitt

    bexwhitt TS Addict Posts: 291   +55

    Lastpass use user side decryption, they have no access to your saved passwords but like the article says for the important stuff use two-factor authentication and unique password for every site.
     
    p51d007 and Reehahs like this.
  3. Reehahs

    Reehahs TS Addict Posts: 169   +70

    Very diligent of them to patch it so quickly.
     
    Jamlad and p51d007 like this.
  4. p51d007

    p51d007 TS Evangelist Posts: 907   +382

    At least they immediately acknowledge & patch it, unlike some software developers who try to make
    up excuses, shuffle their feet or not even acknowledge a problem.
     
  5. wiyosaya

    wiyosaya TS Evangelist Posts: 1,027   +267

    I cannot see using a password manager no matter how responsive the development team.
     
  6. TekGun

    TekGun TS Booster Posts: 156   +17

    I had to update manually for Firefox, the built in addons updater didn't find the latest patch from LP.
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...