silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,176
A security vulnerability in the extension of LastPass password manager could have allowed stealing the credentials last used for logging into a website.
Exploiting the bug was possible in Google Chrome and Opera web browsers and required some effort to be successful since the target needed to go through several steps.
Google security engineer Tavis Ormandy found that an attacker could create a valid clickjacking scenario for a user that has used LastPass to log into an account and direct them to a compromised or malicious website loaded with a specially created iframe.
In the vulnerability disclosure submitted to LastPass, the researcher details the technical aspect and how subsequent clickjacking can reveal the last credentials used by a victim.
The makers of the password manager acknowledged the vulnerability and on Friday they published an advisory announcing that they resolved the bug.
The company notes that "while any potential exposure due to the bug was limited to specific browsers (Chrome and Opera), as a precaution, we’ve deployed the update to all browsers." The process is automated so users do not have to take any action.
Password-Revealing Bug Quickly Fixed in LastPass Extensions
A security vulnerability in the extension of LastPass password manager could have allowed stealing the credentials last used for logging into a website.
www.bleepingcomputer.com