LastPass fixes password-leaking flaw

Google’s Project Zero finds a critical hole in the widely-used password manager

The LastPass password manager

Password manager LastPass has patched a vulnerability that could have led to users exposing the credentials they previously used on the last site they visited.

A flaw in the password manager's browser extension rendered the service susceptible to cyber criminals launching clickjacking attacks. To fall victim, a LastPass user would have had to fill out their credential details on a website, and then visit a compromised site through being tricked into clicking on the page link several times.

Advertisement - Article continues below

This vulnerability affected the LastPass web extension when used on the Google Chrome and Opera browsers, the company confirmed and was fixed in last week's 4.33.0 update.

The bug was first disclosed by Google's Project Zero research team, namely the security researcher Tavis Ormandy. The disclosure, which dates to 29 August, walks a would-be attacker through the steps needed to run a successful exploit.

The researcher disclosed the vulnerability to LastPass a few weeks ago and left the company to develop a fix. The flaw was made public this weekend.

LastPass has warned users to be aware of the scale of phishing attacks routinely launched against web users, and to use both anti-malware and anti-virus software.

Users of the password manager were also told to enable multi-factor authentication on all services where possible. Moreover, users should never reuse the LastPass master password, and keep different and unique passwords for every online account.

Password managers like LastPass have been touted as a way to bypass the fallibility of having to set and remember passwords for a variety of both personal and work systems. These are in addition to adopting two-factor authentication (2FA) to log-into systems, as well as using biometric authentication.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Many, including Microsoft, have long-claimed that passwords are not fit for purpose in today's landscape. Astonishingly, the 'random' password 'ji32k7au4a83' was, earlier this year, found to have been used in 141 data breaches, for instance.

Four widely-used password managers, themselves, were found to have a set of serious flaws that could allow hackers to break in and steal information, according to research published in February.

Having examined 1Password, Dashlane, KeePass, and LastPass, Independent Security Evaluators (ISE) found that every application had "serious" vulnerabilities that allowed attackers to infiltrate them while they were running in the background.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement

Recommended

Visit/security/355013/10-quick-tips-to-identifying-phishing-emails
Security

10 quick tips to identifying phishing emails

16 Mar 2020
Visit/business-strategy/mergers-and-acquisitions/354941/panda-security-to-be-acquired-by-watchguard
mergers and acquisitions

Panda Security to be acquired by WatchGuard

9 Mar 2020
Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/infrastructure/server-storage/355118/hpe-warns-of-critical-bug-that-destroys-ssds-after-40000-hours
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
Visit/software/video-conferencing/355138/zoom-beaming-ios-user-data-to-facebook-for-targeted-ads
video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020
Visit/software/355113/companies-offering-free-software-to-fight-covid-19
Software

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
Visit/mobile/mobile-phones/355088/apple-lifts-iphone-purchase-restrictions
Mobile Phones

Apple lifts iPhone purchase restrictions

23 Mar 2020