LastPass bug could have exposed login credentials

Shawn Knight

TechSpot Staff
Staff member

Freemium password manager LastPass has patched a security flaw that could have allowed hackers to scrape login details from the last site you visited.

Tavis Ormandy, a security researcher from Google’s Project Zero team, responsibly disclosed the discovery late last month. To exploit the bug, a user would have needed to take a certain number of actions including filling a password with the LastPass icon then visiting a malicious site and being tricked into clicking on the page several times.

LastPass said it worked quickly to develop a fix and verified it with Ormandy. While any potential exposure was limited to Chrome and Opera browsers, LastPass said they deployed the update to all browsers out of precaution.

Fortunately, LastPass users shouldn’t have to do much as the client has likely already automatically updated itself by now. You can check your LastPass version number by navigating to Account Options -> About LastPass. If you’ve got v4.33.0 / v4.33.4 then you’re golden.

Image credit: LastPass by Sharaf Maksumov

Permalink to story.

 

Kibaruk

TechSpot Paladin
A bug in a password manager? Who would have thunk it?
A security researcher :)

Good news is, the team actually did what they were supposed to do... sadly doing the necessary doesn't seem to be an upward trend.

I'm assuming even with the bug you'd had still be prompted that the login credentials were going to be sent to another domain, I've found this feature really useful.
 

wiyosaya

TS Evangelist
A security researcher :)

Good news is, the team actually did what they were supposed to do... sadly doing the necessary doesn't seem to be an upward trend.

I'm assuming even with the bug you'd had still be prompted that the login credentials were going to be sent to another domain, I've found this feature really useful.
Perhaps I should have added /sarcasm ;)

Personally, I do not use password managers and never will. And I do not use the same password on every site. In fact, I have several different passwords. The easiest to remember are the phrases - especially when they follow the new recommendations for passwords.
 
  • Like
Reactions: jobeard

Kibaruk

TechSpot Paladin
For sure, I added the smiley face right next to it for the same purpose :) next time I'll use /s

You have a method to remember your passwords, I did too, I actually even built a small matrix I carried with me in case I forgot how to crack it but, it can be cracked. After that I realized if a couple of my passwords were on the open through hacked services, if someone wanted to dedicate time it wouldn't be that hard to find a pattern.

But, to each their own. If that works for you, great.
 
  • Like
Reactions: wiyosaya