LastPass Chrome & Firefox Extensions Affected by Critical Bug (Patched)

[Bot]

Content source

http://news.softpedia.com/news/lastpass-chrome-firefox-extensions-affected-by-critical-bug-514140.shtml

LastPass, the password vault that you were supposed to trust with your information, was affected by a critical security flaw. Thankfully, the company has already patched things up.

This wasn't even some very complicated problem, but rather a coding error. At least that's the opinion of Google's Tavis Ormandy, security expert that has detected numerous problems over the years, including the recent Cloudflare incident.

The white hat found the issue within the LastPass Chrome extension. According to Ormandy, the extension had an exploitable content script that could be attacked to extract passwords from the manager. It could also be pushed to execute commands on the victim's computer, which the Google hacker demonstrated easily.

"This script will proxy unauthenticated window messages to the extension. This is clearly a mistake," Ormandy writes.

Read more: LastPass Chrome & Firefox Extensions Affected by Critical Bug

 

[frogboy]

Happy they fixed this up quickly.

 

[ForgottenSeer 55474]

Yes,that made me sweat a little

 

[Huchim]

I forgot that I still have an account in lastpass, since I don't use it anymore...

 

[Solarlynx]

Hmm, as a Lastpass user I think maybe it's safer to return to Keepass?

 

[jerzy601]

It was good that they fixed it quickly, and I thought I would have to change the password manager.

 

[Ink]

Hmm, as a Lastpass user I think maybe it's safer to return to Keepass?

If that's the case, then Keepass can fix vulnerabilities much quicker than LastPass? You should be grateful that it was patched sooner rather than later.

As you know, all software contain vulnerabilities that have yet to be discovered.

 

[LASER_oneXM]

thx for this info ! .....just finished updating my machines !

 

[generalwu]

Saw this awhile ago and glad that they're very swift to responses unlike some other companies.

Glad to support them with premium.

 

[shmu26]

There is no software without potential vulnerabilities. If they fix things fast, that's about as secure as you can get.

 

[_CyberGhosT_]

Happy they fixed this up quickly.

You and me both brother

 

[Solarlynx]

If that's the case, then Keepass can fix vulnerabilities much quicker than LastPass? You should be grateful that it was patched sooner rather than later.

Of course, I'm grateful to Lastpass and not only in this case. But this case woke up my uneasiness towards using password managers like Lastpass. And the question is still the same. Maybe Keepass is more safer? I just don't have enough knowledge to make certain answer. I used Keepass with Dropbox sync and was quite shure in my passwords database safety. At least KP is an open source.

One more thing about LP is that they moved to freemium for android users. Will they have enough cash to develop their product? The freemium options actually provide what most users need.

 

[Zar_]

Thanks for the notice, it is already updated. I'm glad for the speed

 

[larry goes to church]

Project Zero releases ALOT of good content. I can see why enterprises would hate to hear from them though lol