Updated Incident Report for LastPass vulnerability

frogboy

frogboy

In memoriam 1961-2018
Thread author
Verified
Top Poster
Well-known
Jun 9, 2013
6,720
Incident Report: March 31, 2017 (8:10 PM)

On Saturday, March 25th, security researcher Tavis Ormandy from Google’s Project Zero reported a security finding related to the LastPass browser extensions. In the last 24 hours, we’ve released an update which we believe fixes the reported vulnerability in all browsers and have verified this with Tavis himself.

Most users will be updated automatically. Please ensure you are running the latest version (4.1.44 or higher), which can always be downloaded at LastPass | Password Manager, Auto Form Filler, Random Password Generator & Secure Digital Wallet App.

Now that the issue is resolved, we want to provide a postmortem to our community on what the report entailed and how we are building a better, more secure LastPass going forward. Please note, due to the nature of the vulnerability, this postmortem is highly technical.

Overview

  • This was a client-side vulnerability in the LastPass browser extensions and could be exploited to steal data and manipulate the LastPass extension
  • Exploiting required luring a user to a malicious website (through phishing, spearphishing, or other attack), or to a trusted website running malicious adware
    • This requires a per-user attack that must be executed through the user’s local browser
  • All extensions have now been updated with the fix and submitted to the extension stores
    • Our mobile apps for Android and iOS were not affected.
    Read More. Security Update for the LastPass Extension | The LastPass Blog

 
  • Like
Reactions: SHvFl, Winter Soldier, vindiesel and 13 others
LASER_oneXM

LASER_oneXM

Level 37
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
thanks for this info ! ....updated my main machine few minutes ago: for me its extremly important to update this kind of
software/tools as soon/fast as possible !
 
  • Like
Reactions: SHvFl, Solarlynx and frogboy
frogboy

frogboy

In memoriam 1961-2018
Thread author
Verified
Top Poster
Well-known
Jun 9, 2013
6,720
HarryNguyen0330 said:
And your Cyberfox will be outdated soon, so switch back to Firefox or looking for other popular variants like Waterfox would be better for both security and stability.
Click to expand...
I have giving Waterfox a trial in the last few weeks already. ;) But i will continue to use Cyberfox until it is discontinued. :)
 
  • Like
Reactions: LASER_oneXM and SHvFl
You must log in or register to reply here.

Similar threads

upnorth
    • +Reputation
    • Like
Security News Fake LastPass lookalike made it into Apple App Store
Replies
1
Views
887
Security News
Ink
Ink
Ink
    • Like
    • Applause
Security News LastPass enforces a 12 character Master Password minimum
Replies
1
Views
2,206
Security News
Ink
Ink
MuzzMelbourne
    • Wow
    • +Reputation
    • Like
LastPass says employee’s home computer was hacked and corporate vault taken
Replies
35
Views
2,205
News Archive
TairikuOkami
TairikuOkami

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top