Password-Revealing Bug Quickly Fixed in LastPass Extensions

[silversurfer]

Content source

https://www.bleepingcomputer.com/news/security/password-revealing-bug-quickly-fixed-in-lastpass-extensions/

A security vulnerability in the extension of LastPass password manager could have allowed stealing the credentials last used for logging into a website.
Exploiting the bug was possible in Google Chrome and Opera web browsers and required some effort to be successful since the target needed to go through several steps.

Google security engineer Tavis Ormandy found that an attacker could create a valid clickjacking scenario for a user that has used LastPass to log into an account and direct them to a compromised or malicious website loaded with a specially created iframe.
In the vulnerability disclosure submitted to LastPass, the researcher details the technical aspect and how subsequent clickjacking can reveal the last credentials used by a victim.

The makers of the password manager acknowledged the vulnerability and on Friday they published an advisory announcing that they resolved the bug.
The company notes that "while any potential exposure due to the bug was limited to specific browsers (Chrome and Opera), as a precaution, we’ve deployed the update to all browsers." The process is automated so users do not have to take any action.

Password-Revealing Bug Quickly Fixed in LastPass Extensions

A security vulnerability in the extension of LastPass password manager could have allowed stealing the credentials last used for logging into a website.

www.bleepingcomputer.com

 

[DeepWeb]

LastPass is really fast at fixing things but the code is still closed source. Bitwarden Premium is cheaper and better.

 

[ForgottenSeer 58943]

LastPass is really fast at fixing things but the code is still closed source. Bitwarden Premium is cheaper and better.

Absolutely.. I've been promoting Bit Warden since a couple weeks after it came out. Not only does it avoid utilization of buggy AWS (Azure is better), but it's opensource, and the developer is super responsive.

Last Pass, never trusted them. Never will.

 

[legendcampos]

I still use the good and the old copybook

 

[DeepWeb]

Absolutely.. I've been promoting Bit Warden since a couple weeks after it came out. Not only does it avoid utilization of buggy AWS (Azure is better), but it's opensource, and the developer is super responsive.

Last Pass, never trusted them. Never will.

When I switched from LastPass to Bitwarden, I changed all of my passwords. It was tedious but I think it was worth it.

 

[upnorth]

Skype, Slack, other Electron-Based Apps Can Be Easily Backdoored

LAS VEGAS—The Electron development platform is a key part of many applications, thanks to its cross-platform capabilities. Based on JavaScript and Node.js, Electron has been used to create client applications for Internet communications tools (including Skype, WhatsApp, and Slack) and even...

malwaretips.com