LastPass fixes bug that allowed malicious websites to steal login credentials
Password manager LastPass Inc. said it has patched a vulnerability identified by a Google LLC security researcher that allowed a malicious website to steal login credentials for the last account a user had accessed using the company’s Chrome or Opera extensions.
Discovered last month by Google Project Zero’s Tavis Ormandy, the vulnerability allowed for a malicious website to trick the browser extension to use a password used from a previously visited website.
To exploit the vulnerability, a malicious website could ultimately produce an HTML iframe, or a webpage embedded inside another webpage, that linked to a cached LastPass login, allowing the site and those behind it to steal user credentials.
Getting to that point isn’t necessarily easy but it’s doable. “To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times,” LastPass explained in a blog post Friday. “This exploit may result in the last site credentials filled by LastPass to be exposed.”
Ormandy informed LastPass before going public with the vulnerability, allowing the popular password manager firm to fix the vulnerability and roll out updates to users before publication. “We quickly worked to develop a fix and verified the solution was comprehensive with Tavis,” LastPass wrote.
Despite some spurious reports on some websites that users should update LastPass, no user intervention is required since the patched versions of the Chrome and Opera extensions were automatically pushed out to users.
This isn’t the first time a vulnerability has been found with LastPass. A vulnerability found by Ormandy in March 2017 in the LastPass browser extension allowed hackers to not only steal passwords but also execute malicious code. Then as with now, Ormandy informed LastPass of his discovery in advance, allowing the vulnerability to be patched before details were made public.
LastPass itself was also hacked in 2015 with those behind the attack stealing user account email addresses, password reminders, server per user salts and authentication hashes.
Although the 2015 hack was unfortunate, as are the discovery of any security vulnerabilities, LastPass otherwise has a decent track record when it comes to securing data. With 16.7 million users, the company claims to be the market leader in password management.
Image: hunter0405/Flickr
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU