Skip to main content

LastPass bug exposes credentials

(Image credit: Image Credit: Rawpixel.com / Shutterstock)

One of the world’s most beloved password managers announced that it had discovered, and fixed a security flaw which could expose certain credentials to hackers.

LastPass said that it had identified a bug which would expose usernames and passwords (opens in new tab)entered on a previously visited site. The bug was first discovered by Project Zero’s security researcher Tavis Ormandy. Project Zero is a Google’s team, dedicated to finding bugs.

The flaw, which impacts only Chrome and Opera browser extensions, was fixed last week, on September 12, and the app was updated to version 4.33.0. LastPass users are advised to double-check if their extensions are up to date, because now that the flaw has gone public, it is still considered dangerous.

In theory, a victim could be lured to a malicious website (for example, through a phishing email), and exploit the vulnerability to find the last credentials they had used. Ormandy claims the whole process is quite simple.

"I think it's fair to call this 'High' severity, even if it won't work for *all* URLs," Ormandy said.

Discussing the flaw in a blog post, LastPass downplayed its importance, with the company Security Engineering Manager, Ferenc Kun, saying the victim needs to click on the page “several times”.

“To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password (opens in new tab)with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times,” he wrote.

Sead Fadilpašić
Sead Fadilpašić

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.