Security Update for the LastPass Extension

[psyko666]

Over the weekend, Google security researcher Tavis Ormandy reported a new client-side vulnerability in the LastPass browser extension. We are now actively addressing the vulnerability.  This attack is unique and highly sophisticated. We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post mortem once this work is complete.

In the meantime, we want to thank people like Tavis who help us raise the bar for online security with LastPass, and work with our teams to continue to make LastPass the most secure password manager on the market. And we want to offer our users with a few steps they can take to further protect themselves from these types of client-side issues.

1. Use the LastPass Vault as a launch pad – Launch sites directly from the LastPass vault. This is the safest way to access your credentials and sites until this vulnerability is resolved.
2. Two-Factor Authentication on any service that offers it – Whenever possible, turn on two-factor authentication with your accounts; many websites now offer this option for added security.
3. Beware of Phishing Attacks – Always be vigilant to avoid phishing attempts. Do not click on links from people you don’t know, or that seem out of character from your trusted contacts and companies. Take a look at our phishing primer.

We’ll provide further updates on the patch once complete.

 

Source

[psyko666]

Ouch.. that hurts

[DKT27]

Thread moved to Security and Privacy News.

 

Those who do not know, this seems to be the official response to the issue mentioned here.