LastPass bug leaks credentials from previous site

[steven36]

LastPass has released a fix last week. Vulnerability details are now public. Users advised to update.

 

 

Password manager LastPass has released an update last week to fix a security bug that exposes credentials entered on a previously visited site.

 

The bug was discovered last month by Tavis Ormandy, a security researcher with Project Zero, Google's elite security and bug-hunting team.

Fix available

LastPass, believed to be the most popular password manager app today, fixed the reported issue in version 4.33.0, released last week, on September 12.

 

If users have not enabled an auto-update mechanism for their LastPass browser extensions or mobile apps, they're advised to perform a manual update as soon as possible.

 

This is because yesterday, Ormandy published details about the security flaw he found. The security researcher's bug report walks an attacker through the steps necessary to reproduce the bug.

 

Since the bug relies on executing malicious JavaScript code alone, with no other user interaction, the bug is considered dangerous and potentially exploitable.

 

Attackers could lure users on malicious pages and exploit the vulnerability to extract the credentials entered on previously-visited sites. According to Ormandy, this isn't as hard as it sounds, as an attacker could easily disguise a malicious link behind a Google Translate URL, trick users into visiting the link, and then extract credentials from a previously visited site.

 

 

"I think it's fair to call this 'High' severity, even if it won't work for *all* URLs," Ormandy said.

 

Since the vulnerability was discovered and then privately reported by Google, there's no reason to believe the bug has been exploited in the wild. A LastPass spokesperson did not return a request for comment.

Don't abandon password managers because of a fixable bug

Like any other applications, password managers are sometimes vulnerable to bugs, which are in all cases eventually fixed.

 

Despite this vulnerability, users are still advised to rely on a password manager whenever they can. Using a password manager is many times better than leaving passwords stored inside a browser, from where they can be easily extracted by forensic tools and malware.

 

LastPass' efficiency in keeping passwords away from prying eyes was proven this summer when the company couldn't answer legal demands from the US Drug Enforcement Administration (DEA).

 

The company was told by cops to hand over information on a user, such as passwords and home address, but the company couldn't comply with the order because the data was encrypted and they couldn't access it.

 

Source

[frankl1n]

It is good that the bug in LastPass was discovered and squashed. Those users should update/change their passwords , dont leave anything to chance.

I use Keepass v1.xx and hope it is properly protecting my passwords. So far have not heard anything about Keepass having such a bug.

[nsan3]

Do not know why people believe on third-party solutions to safe guard one's credentials?