Last week, developers updated the LastPass password manager. As it turned out now, updating to version 4.33.0 fixed a dangerous bug discovered by Google Project Zero expert Tavis Ormandy that was leading to data leakage.
The vulnerability allowed leak of credentials entered on a previously visited site, and LastPass developers report that the problem affected extensions for the Chrome and Opera browsers.Ormandy said that using clickjacking, attackers could extract credentials from a previously visited site by using clickjacking, iframes and redirecting LastPass users to compromised or malicious sites.
“This is not as difficult as it seems, because an attacker can, for example, mask a malicious link, for example, behind the Google Translate URL. Simply saying, if the victim visited site A and the credentials were entered using LastPass, and then the victim went to site B, through the last one could access the credentials of site A”, – notes Tavis Ormandy.
Although the operation of the bug required the victim to enter credentials using the LastPass icon, visit a hacked or malicious site, and click on the page several times, the developers described the bug as very serious and hastened to issue a “patch”.
Since Ormandy notified the company privately and the bug was quickly fixed, it is reported that no signs of exploitation of this vulnerability by attackers were detected.
Read also: NetCAT Vulnerability Threats Intel Server Processors
Tips from LastPass developers on how to avoid hacking user accounts: We know the LastPass community is very security-savvy, but as a reminder LastPass continues to recommend the following general best practices for added online security:
- Beware of phishing attacks. Do not click on links from people you don’t know, or that seem out of character from your trusted contacts and companies.
- Always enable MFA for LastPass and other services like your bank, email, Twitter, Facebook, etc. Adding additional layers of authentication remains the most effective way to protect your account.
- Never reuse your LastPass master password and never disclose it to anyone, including us.
- Use different, unique passwords for every online account.
- Keep your computer malware-free by running antivirus with the latest detection patterns and keeping your software up-to-date.
