LastPass Fixed A Flaw Putting Users At Risk Of Clickjacking

Et tu, LastPass? The popular password manager LastPass released an update last week fixing a security flaw that exposed credentials entered on previously visited websites.

The bug was discovered last month by Project Zero, on August 29th. Project Zero is a white hat hacking team at Google who look for security flaws in consumer products. Recently the team made major flaws in iOS public.

LastPass, fixed the reported issue in version 4.33.0, released, on September 12. With the vulnerability now patched, Tavis Ormandy a research at Project Zero yesterday derestricted a security researcher’s bug report. The report details the steps necessary for an attacker to reproduce the bug that worked by executing malicious JavaScript.

The JavaScript code could have been embedded on any website, masked with a Google Translate URL. The attacker could have tricked users into visiting that link. If the attacker successfully fooled users into visiting the link, they could have extracted credentials from previously visited sites.

“To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times,” Ferenc Kun, the security engineering manager for LastPass wrote in a statement.

The issue was apparently specific to Chrome and Opera (Opera is a Chromium-based browser). LastPass said it has precautionarily deployed the security update to all browsers.

While LastPass has had more than a fews security bugs in the past, lastpass and other password managers are good for security. The reality is the alternative of storing all your password data in a browser is a terrible idea. While I have used LastPass for many years, I no longer recommend it to others. Privacytools.io has some recommendations for more secure password managers.

Posts Around the Web

Video Production Has Changed, Let’s Record With Our Phones?!

What Does It Take To Be An Oscar Nominee?

The Problem With Adam Neumann: When A King Wants To Be Rich

Startups Masquerading as Tech Firms is Not Paying Off For Investors

Comments are closed, but trackbacks and pingbacks are open.