Password-Revealing Bug Quickly Fixed in LastPass Extensions

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,003
A security vulnerability in the extension of LastPass password manager could have allowed stealing the credentials last used for logging into a website.
Exploiting the bug was possible in Google Chrome and Opera web browsers and required some effort to be successful since the target needed to go through several steps.

Google security engineer Tavis Ormandy found that an attacker could create a valid clickjacking scenario for a user that has used LastPass to log into an account and direct them to a compromised or malicious website loaded with a specially created iframe.
In the vulnerability disclosure submitted to LastPass, the researcher details the technical aspect and how subsequent clickjacking can reveal the last credentials used by a victim.
The makers of the password manager acknowledged the vulnerability and on Friday they published an advisory announcing that they resolved the bug.
The company notes that "while any potential exposure due to the bug was limited to specific browsers (Chrome and Opera), as a precaution, we’ve deployed the update to all browsers." The process is automated so users do not have to take any action.
 
F

ForgottenSeer 58943

LastPass is really fast at fixing things but the code is still closed source. Bitwarden Premium is cheaper and better.

Absolutely.. I've been promoting Bit Warden since a couple weeks after it came out. Not only does it avoid utilization of buggy AWS (Azure is better), but it's opensource, and the developer is super responsive.

Last Pass, never trusted them. Never will.
 

DeepWeb

Level 25
Verified
Top Poster
Well-known
Jul 1, 2017
1,396
Absolutely.. I've been promoting Bit Warden since a couple weeks after it came out. Not only does it avoid utilization of buggy AWS (Azure is better), but it's opensource, and the developer is super responsive.

Last Pass, never trusted them. Never will.
When I switched from LastPass to Bitwarden, I changed all of my passwords. It was tedious but I think it was worth it.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,454
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top