LastPass Fixes Huge Security Flaw that Lets Malicious Websites Extract Passwords

using password managers to be safe from hackers

LastPass is widely regarded as many as the number one password manager in the world, but it just had a bug that would have let malicious websites extracts last used passwords from the manager’s browser extension as discovered by ZDNet. The bug was discovered by Tarvis Ormandy, a researcher in Google’s Project Zero team and was announced back in August. LastPass on September 13th fixed the issue by rolling out an automatic update to all browsers with its extension.

Ormandy reported that bug lures users into malicious websites and then fools the browser’s extension to use a password from a website visited before. According to LastPass, only Chrome and Opera browsers were affected by this bug, but it deployed updates to all browsers to serve as a precaution. As a user of the extension, it is imperative you confirm your browser is running the latest extension update 4.33.0 for LastPass.

Explaining the bug and the fix on its website, LastPass said:

To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times. This exploit may result in the last site credentials filled by LastPass to be exposed. We quickly worked to develop a fix and verified the solution was comprehensive with Tavis.

We have now resolved this bug; no user action is required and your LastPass browser extension will update automatically.  

Additionally, while any potential exposure due to the bug was limited to specific browsers (Chrome and Opera), as a precaution, we’ve deployed the update to all browsers.”

Password managers are still recommended despite the bug if you are security conscious online. LastPass may be the strongest password manager but it’s susceptible to flaws since it’s coded by humans. It is advisable to use two-factor authentications on websites that support it to add an extra layer of security.


Posted by Biodun

Passionate about Technology and everything concerning it. Avid Gamer and Music Lover. Loves Chelsea FC. Overall, a nice guy. Find me on Instagram and Twitter.

Leave a Reply

Your email address will not be published.