One of the world’s most beloved password managers announced that it had discovered, and fixed a security flaw which could expose certain credentials to hackers.
LastPass said that it had identified a bug which would expose usernames and passwords entered on a previously visited site. The bug was first discovered by Project Zero’s security researcher Tavis Ormandy. Project Zero is a Google’s team, dedicated to finding bugs.
The flaw, which impacts only Chrome and Opera browser extensions, was fixed last week, on September 12, and the app was updated to version 4.33.0. LastPass users are advised to double-check if their extensions are up to date, because now that the flaw has gone public, it is still considered dangerous.
In theory, a victim could be lured to a malicious website (for example, through a phishing email), and exploit the vulnerability to find the last credentials they had used. Ormandy claims the whole process is quite simple.
"I think it's fair to call this 'High' severity, even if it won't work for *all* URLs," Ormandy said.
Discussing the flaw in a blog post, LastPass downplayed its importance, with the company Security Engineering Manager, Ferenc Kun, saying the victim needs to click on the page “several times”.
“To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times,” he wrote.