silversurfer

Level 52
Verified
Trusted
Content Creator
Malware Hunter
A security vulnerability in the extension of LastPass password manager could have allowed stealing the credentials last used for logging into a website.
Exploiting the bug was possible in Google Chrome and Opera web browsers and required some effort to be successful since the target needed to go through several steps.

Google security engineer Tavis Ormandy found that an attacker could create a valid clickjacking scenario for a user that has used LastPass to log into an account and direct them to a compromised or malicious website loaded with a specially created iframe.
In the vulnerability disclosure submitted to LastPass, the researcher details the technical aspect and how subsequent clickjacking can reveal the last credentials used by a victim.
The makers of the password manager acknowledged the vulnerability and on Friday they published an advisory announcing that they resolved the bug.
The company notes that "while any potential exposure due to the bug was limited to specific browsers (Chrome and Opera), as a precaution, we’ve deployed the update to all browsers." The process is automated so users do not have to take any action.
 

Slyguy

Level 42
Verified
LastPass is really fast at fixing things but the code is still closed source. Bitwarden Premium is cheaper and better.
Absolutely.. I've been promoting Bit Warden since a couple weeks after it came out. Not only does it avoid utilization of buggy AWS (Azure is better), but it's opensource, and the developer is super responsive.

Last Pass, never trusted them. Never will.
 

DeepWeb

Level 24
Verified
Absolutely.. I've been promoting Bit Warden since a couple weeks after it came out. Not only does it avoid utilization of buggy AWS (Azure is better), but it's opensource, and the developer is super responsive.

Last Pass, never trusted them. Never will.
When I switched from LastPass to Bitwarden, I changed all of my passwords. It was tedious but I think it was worth it.