- Jan 24, 2011
- 9,379
Mike Cardwell, the Stallmanite who recently discovered a fantastically covert way of working out which Web services you're currently logged in to, has found a nasty XSS vulnerability in the LastPass password manager. The cross-site scripting (XSS) vulnerability not only allows nefarious types to see which sites you've recently logged in to, but it also provides access your email address and password reminder.
First off: don't worry. Cardwell reported the vulnerability to LastPass before writing it up, and it has since been fixed. We're not sure if the fix has propagated out to the Chrome and Firefox add-ons -- but we have to assume that Cardwell wouldn't have written his blog post if the vulnerability still existed.
Update : LastPass has now implemented HSTS and a few other features to make their website and browser add-ons a lot harder to attack in the future
More details - link
First off: don't worry. Cardwell reported the vulnerability to LastPass before writing it up, and it has since been fixed. We're not sure if the fix has propagated out to the Chrome and Firefox add-ons -- but we have to assume that Cardwell wouldn't have written his blog post if the vulnerability still existed.
Update : LastPass has now implemented HSTS and a few other features to make their website and browser add-ons a lot harder to attack in the future
More details - link
