UPDATED 06:39 EST / MARCH 23 2017

CLOUD

LastPass issues patch for vulnerability that exposed user passwords

Password security firm LastPass Inc. has issued patches for its Chrome and Firefox plugins after a security researcher at Google Inc. found vulnerabilities that could have allowed attackers to steal users’ passwords or execute malicious code on their computers.

Discovered by Google’s Tavis Ormandy, the vulnerabilities could have given attackers access to internal commands inside the LastPass extension, including the very commands used by the extension to copy passwords or fill in web forms using the victim’s personal information that is meant to be securely stored.

LastPass confirmed the vulnerabilities, saying that the issue was related to an experimental feature on all LastPass browser clients and that it had issued a fix to the vulnerability prior to the details being published publicly. The company went on to note that the fix should be applied automatically for LastPass users and no user interaction was required.

“To prevent these issues in the future, we are reviewing and strengthening our code review and security processes in place today,” the company said in a blog post, “particularly around new and experimental features.”

Disturbingly for a company that says that security is fundamental to what it does, this isn’t the first time the company has been found to be lacking on the security front. In 2015, the company revealed that its network had been hacked and that the perpetrators accessed and stole user account email addresses, password reminders, server user “salts” or random data, and authentication hashes.

The news has promoted some to call on people to stop using password managers. Network World’s Sean Cassidy wrote that “browser-based password manager extensions should no longer be used because they are fundamentally risky and have the potential to have all of your credentials stolen without your knowledge by a random malicious website you visit or by malvertising.”

Cassidy does have solid point. Online cloud-based password managers are always going to be vulnerable in one way or another, so the question becomes: Is the convenience of a password manager more important that the security of your data?

Image: hunter0405/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU