LastPass has patched a bug that would have allowed a malicious website to extract a previous password entered by the service’s browser extension. ZDNet reports that the bug was discovered by Tavis Ormandy, a researcher in Google’s Project Zero team, and was disclosed in a bug report dated August 29th. LastPass fixed the issue on September 13th and deployed the update to all browsers where it should be applied automatically, something LastPass users would be smart to verify.
The bug works by luring users onto a malicious website and fooling the browser extension to use a password from a previously visited website. Ormandy notes that attackers could use a service like Google Translate to disguise a malicious URL and trick vulnerable users into visiting a rogue site.
LastPass could leak the last used credentials. That was due to a cache not being updated. This was because you can bypass the tab credential cache being populated by including the login form in an unexpected way!
LastPass believed to be the most popular password manager app today. It has fixed the reported issue in version 4.33.0, released last week, on September 12.
You may not have enabled an auto-update mechanism for LastPass browser extensions or mobile apps. As soon as possible all Users are advised to perform a manual update.
In a statement posted on its blog, LastPass downplayed the severity of the bug. The company’s Security Engineering Manager, Ferenc Kun, said that the exploit relied on a user visiting a malicious site. Ormandy nevertheless gave the bug a “High” severity rating. There’s no evidence on the web regarding the exploit.
Despite this bug, using a password manager is still a great measure. The existence of the bug highlights the fact that password managers; like any online service, can still be susceptible to security problems. As a result, it’s a good idea to add two-factor auth. To any sites that support it, along with using strong unique passwords that you never reuse between services.