Cybersecurity

LastPass Fixed A Flaw Putting Users At Risk Of Clickjacking

Sharing is caring!

Et tu, LastPass? The popular password manager LastPass released an update last week fixing a security flaw that exposed credentials entered on previously visited websites.

The bug was discovered last month by Project Zero, on August 29th. Project Zero is a white hat hacking team at Google who look for security flaws in consumer products. Recently the team made major flaws in iOS public.

LastPass, fixed the reported issue in version 4.33.0, released, on September 12. With the vulnerability now patched, Tavis Ormandy a research at Project Zero yesterday derestricted a security researcher’s bug report. The report details the steps necessary for an attacker to reproduce the bug that worked by executing malicious JavaScript.

The JavaScript code could have been embedded on any website, masked with a Google Translate URL. The attacker could have tricked users into visiting that link. If the attacker successfully fooled users into visiting the link, they could have extracted credentials from previously visited sites.

“To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times,” Ferenc Kun, the security engineering manager for LastPass wrote in a statement.

The issue was apparently specific to Chrome and Opera (Opera is a Chromium-based browser). LastPass said it has precautionarily deployed the security update to all browsers.

While LastPass has had more than a fews security bugs in the past, lastpass and other password managers are good for security. The reality is the alternative of storing all your password data in a browser is a terrible idea. While I have used LastPass for many years, I no longer recommend it to others. Privacytools.io has some recommendations for more secure password managers.

Daniel Payne
Daniel Payne
I’ve been a freelance writer, video, and web person since 1988. My passion is technology, whether it’s the latest cameras or cutting edge ways the internet is used to improve medicine. I write for Internet News Flash and am helping with the online resurrection of Digital Content Creators Magazine Contact me: danielpaynetech@gmail.com
http://www.danieljpayne.com/

Leave a Reply

Your email address will not be published. Required fields are marked *