LastPass, an online password manager platform has fixed a serious bug that could have been used to leak last used credentials. This bug was found last month and the bug report has been published for the public now.
Tavis Ormandy, the security researcher with Project Zero, Google’s security and bug-hunting team reported that pegs the bug to be ‘highly severe’ and potentially exploitable. Because the report details the necessary steps to reproduce the vulnerability and it is important that all users update to version 4.33.0. last week.
LastPass issued a fix for the bug with this new version.
Last week, LastPass provided an update, and now Google has made the bug report public. This report details a step by step process by which the bug can be misused and reproduced, and the report can be found on the company site.
This flaw in the browser extension of its password manager software created a clickjacking risk. This bug produced a way for malicious websites to trick LastPass users into revealing the credentials of the websites they had previously visited.
Ormandy mentioned in his post on twitter that “LastPass could leak the last used credentials due to a cache not being updated. To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times. This exploit may result in the last site credentials filled by LastPass to be exposed. We quickly worked to develop a fix and verified the solution was comprehensive with Tavis,”.
LastPass mentioned that there is no need for user action and your LastPass browser extension will update automatically but we recommend all users in order to be absolutely sure if they are safe from any potential threats, double-check if they are on the latest update version 4.33.0.
This bug was found in private and fixed but there’s no reason to believe that this bug may have been misused. LastPass also mentioned that we don’t recommend against using password managers. This platform will let users have unique passwords for several websites, and is important tools for being safe because the most important thing about the internet is passwords, and remembering them.