This isn’t the first time a vulnerability has been found with LastPass. Ormandy informed LastPass before going public with the vulnerability, allowing the popular password manager firm to fix the vulnerability and roll out updates to users before publication. “We quickly worked to develop a fix and verified the solution was comprehensive with Tavis,” LastPass wrote.ĭespite some spurious reports on some websites that users should update LastPass, no user intervention is required since the patched versions of the Chrome and Opera extensions were automatically pushed out to users. ![]() “This exploit may result in the last site credentials filled by LastPass to be exposed.” “To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times,” LastPass explained in a blog post Friday. Getting to that point isn’t necessarily easy but it’s doable. ![]() ![]() To exploit the vulnerability, a malicious website could ultimately produce an HTML iframe, or a webpage embedded inside another webpage, that linked to a cached LastPass login, allowing the site and those behind it to steal user credentials. Password manager LastPass Inc. said it has patched a vulnerability identified by a Google LLC security researcher that allowed a malicious website to steal login credentials for the last account a user had accessed using the company’s Chrome or Opera extensions.ĭiscovered last month by Google Project Zero’s Tavis Ormandy, the vulnerability allowed for a malicious website to trick the browser extension to use a password used from a previously visited website.
0 Comments
Leave a Reply. |