Password manager LastPass has released an update last week to fix a security bug that exposes credentials entered on a previously visited site.
The bug was discovered last month by Tavis Ormandy, a security researcher with Project Zero, Google’s elite security and bug-hunting team.
LastPass, believed to be the most popular password manager app today, fixed the reported issue in version 4.33.0, released last week, on September 12.
If users have not enabled an auto-update mechanism for their LastPass browser extensions or mobile apps, they’re advised to perform a manual update as soon as possible.
This is because yesterday, Ormandy published details about the security flaw he found. The security researcher’s bug report walks an attacker through the steps necessary to reproduce the bug.
Attackers could lure users on malicious pages and exploit the vulnerability to extract the credentials entered on previously-visited sites. According to Ormandy, this isn’t as hard as it sounds, as an attacker could easily disguise a malicious link behind a Google Translate URL, trick users into visiting the link, and then extract credentials from a previously visited site.
“I think it’s fair to call this ‘High’ severity, even if it won’t work for *all* URLs,” Ormandy said.
Since the vulnerability was discovered and then privately reported by Google, there’s no reason to believe the bug has been exploited in the wild. A LastPass spokesperson did not return a request for comment.
Don’t abandon password managers because of a fixable bug
Like any other applications, password managers are sometimes vulnerable to bugs, which are in all cases eventually fixed.
Despite this vulnerability, users are still advised to rely on a password manager whenever they can. Using a password manager is many times better than leaving passwords stored inside a browser, from where they can be easily extracted by forensic tools and malware.
LastPass’ efficiency in keeping passwords away from prying eyes was proven this summer when the company couldn’t answer legal demands from the US Drug Enforcement Administration (DEA).
The company was told by cops to hand over information on a user, such as passwords and home address, but the company couldn’t comply with the order because the data was encrypted and they couldn’t access it.
- How to enable DNS-over-HTTPS (DoH) in Google Chrome
- US to collect social media profiles from immigrants, asylum seekers, and refugees
- 600,000 GPS trackers left exposed online with a default password of ‘123456’
- How AI is used for facial recognition in surveillance cameras (ZDNet YouTube)
- The best DIY home security systems of 2019 (CNET)
- How to prevent a Corporate Account Takeover (TechRepublic)
- Facebook faces billion-euro fine as Irish data protection commissioner opens fresh investigation into photo leak
- Facebook bug exposes photos of up to 6.8 million users
- Apple’s Group FaceTime service will remain offline until next week after privacy bug
- Brits visiting the US could be carrying ‘super’ bed bugs home in their luggage
- Orlando is now one of the worst US cities for bed bugs – here are the others
- Have You Been Pwned? 773 Million Email Addresses Go Public in Huge Data Leak
- Apple suspends group video calling feature over bug that lets people spy on iPhone users
- Apple releases software update to fix FaceTime bug
- WARNING: Go update your mobile NOW – Apple bug let people secretly listen in on conversations
- WhatsApp ‘bug lets OTHER people read your texts’ – even if you’re complete strangers