LastPass bug could have exposed login credentials

Shawn Knight

Shawn Knight

Posts: 15,292   +192
Staff member
The big picture: Incidents like this are a reminder that while password managers are a very handy tool, they aren’t foolproof. You’ll still want to follow best practices for online security when using them such as being aware of phishing attacks, using multi-factor authentication, never reusing your master password, having different passwords for every online account and keeping your system free of malware.

Freemium password manager LastPass has patched a security flaw that could have allowed hackers to scrape login details from the last site you visited.

Tavis Ormandy, a security researcher from Google’s Project Zero team, responsibly disclosed the discovery late last month. To exploit the bug, a user would have needed to take a certain number of actions including filling a password with the LastPass icon then visiting a malicious site and being tricked into clicking on the page several times.

LastPass said it worked quickly to develop a fix and verified it with Ormandy. While any potential exposure was limited to Chrome and Opera browsers, LastPass said they deployed the update to all browsers out of precaution.

Fortunately, LastPass users shouldn’t have to do much as the client has likely already automatically updated itself by now. You can check your LastPass version number by navigating to Account Options -> About LastPass. If you’ve got v4.33.0 / v4.33.4 then you’re golden.

Image credit: LastPass by Sharaf Maksumov

Permalink to story.

https://www.techspot.com/news/81913-lastpass-bug-could-have-exposed-login-credentials.html

 
wiyosaya said:
A bug in a password manager? Who would have thunk it?
Click to expand...
A security researcher :)

Good news is, the team actually did what they were supposed to do... sadly doing the necessary doesn't seem to be an upward trend.

I'm assuming even with the bug you'd had still be prompted that the login credentials were going to be sent to another domain, I've found this feature really useful.
 
  • Like
Reactions: Darth Shiv and JErry138889
Kibaruk said:
A security researcher :)

Good news is, the team actually did what they were supposed to do... sadly doing the necessary doesn't seem to be an upward trend.

I'm assuming even with the bug you'd had still be prompted that the login credentials were going to be sent to another domain, I've found this feature really useful.
Click to expand...
Perhaps I should have added /sarcasm ;)

Personally, I do not use password managers and never will. And I do not use the same password on every site. In fact, I have several different passwords. The easiest to remember are the phrases - especially when they follow the new recommendations for passwords.
 
  • Like
Reactions: DelJo63
For sure, I added the smiley face right next to it for the same purpose :) next time I'll use /s

You have a method to remember your passwords, I did too, I actually even built a small matrix I carried with me in case I forgot how to crack it but, it can be cracked. After that I realized if a couple of my passwords were on the open through hacked services, if someone wanted to dedicate time it wouldn't be that hard to find a pattern.

But, to each their own. If that works for you, great.
 
  • Like
Reactions: wiyosaya
You must log in or register to reply here.

Similar threads

A
Hackers attempted to trick LastPass employee with cloned voice of CEO
Replies
12
Views
90
kimo1
kimo1
midian182
Beware: Fake LastPass app sneaks onto Apple's App Store
Replies
3
Views
246
m4a4
m4a4
Cal Jeffrey
Microsoft left a server containing employee credentials exposed to the internet for a month
Replies
3
Views
102
plambert2015
P

Latest posts

Back