Over the past few days, reports have begun to surface about known, major vulnerabilities in password manager LastPass. Today, the company has released a statement regarding these vulnerabilities, revealing that they were addressed immediately.
The first and most recent vulnerability was discovered by Google Security Team researcher Tavis Ormandy. He uncovered and documented a message-hijacking bug in the LastPass Firefox addon, which could lead to the execution of actions in the background without the user's knowledge. This vulnerability was disclosed to LastPass and fixed within hours, resulting in an update for Firefox users.
The second vulnerability has been making headlines recently due to a post by security researcher Mathias Karlsson titled "How I made LastPass give me all your passwords". However, as LastPass notes, the issue was disclosed to LastPass more than a year ago and subsequently addressed at the time through an update to all browser extensions.
The vulnerability in question surrounded the URL parsing code in LastPass' extension, which allowed Karlsson to steal passwords that were mistakenly autofilled on malicious websites. This was a critical security issue, and LastPass published an update to their extension that addressed it in under a day.
In their post on the matter, LastPass reminds people to be wary of phishing attacks, and suggests good security practices like using two-factor authentication and unique passwords for every account.