LastPass Bug in Browser Extension Now Fixed

November 12, 2019
lastpass bug

Renowned Password Manager – a LastPass bug has just been fixed as it is rather sensitive and costly vulnerability that would have enabled a noxious site to acquire a user’s previous password entered by the service’s browser extension.

The bug as it was originally found was discovered by Tavis Ormandy, a security analyst in Google’s ever popular Project Zero group (GPZ), and was uncovered in a bug report dated August 29th. LastPass has claimed to have applied a permanent fix on the issue last September 13th, and sent the critical update to all programs where it ought to be applied consequently, something that LastPass clients would be shrewd to check. If not, they will have to manually initiate the update. Immediately.

Going back to “the bug”, it works by baiting users into visiting a malicious website, and tricking the browser’s LastPass extension to utilize an old password from a recently visited site. The GPZ security analyst, Ormandy, noticed that the hackers could utilize an online tool like Google Translate to camouflage a malevolent URL and stunt helpless users into visiting a rogue or fraudulent website.

Even though LastPass has released in their statement that the update ought to be applied consequently, you should watch that you’re running the latest version of the browser’s extension, especially in cases where you’re utilizing a program which enables you to debilitate automatic updates for extensions.

The bug was allegedly fixed with patch version 4.33.0 of the browser extension. LastPass said it believes that only Google Chrome and Opera browsers were affected entirely by the bug. But as a basic precautionary measure, it also deployed the patch for all other browsers to ensure the security of all their users.

In of its online statements, LastPass highlighted the seriousness of the bug and took it lightly. Ferenc Kun, LastPass’ Security Engineering Manager, said that the exploitation of the bug depended on a client visiting a malicious website and afterwards being tricked into tapping on the link on the page “a few times.”

GPZ’s Ormandy gave the bug a relatively “High” seriousness rating, nevertheless. The bug, upon its discovery, was dependably studied and responsibly disclosed to LastPass before being made open, and there’s no proof that an active exploitation was ever conveyed on the web, contrary to what LastPass was eyeing.

GPZ has teams of highly talented security analysts, and their mandate is to discover and report any vulnerabilities to the concerned vendors immediately. They have a 90-day monitoring period, from the date of discovery in order for the concerned vendors to act and issue fixes or patches before making full public disclosure of the incident.

But regardless of this bug, the use of password management software are still being encouraged and is still considered an extraordinary measure to take for the sake of your online security. The discovery and the presence of the bug features the way that these password managers, similar to any other online assistance tools, can still be vulnerable to security issues, and of course, hackers.

Thus, it’s always a smart move to add two-factor authentication to any website that supports it, alongside utilizing strong, and unique passwords that you never reuse between services. This adds an extra layer of protection against would-be infiltrators that are keen on acquiring your personal information.

About the author

Leave a Reply