LastPass fixes bug that could let malicious websites extract your last used password

Illustration by Alex Castro / The Verge
If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

LastPass has patched a bug that would have allowed a malicious website to extract a previous password entered by the service’s browser extension. ZDNet reports that the bug was discovered by Tavis Ormandy, a researcher in Google’s Project Zero team, and was disclosed in a bug report dated August 29th. LastPass fixed the issue on September 13th, and deployed the update to all browsers where it should be applied automatically, something LastPass users would be smart to verify.

The bug works by luring users onto a malicious website, and fooling the browser extension to use a password from a previously visited website. Ormandy notes that attackers could use a service like Google Translate to disguise a malicious URL and trick vulnerable users into visiting a rogue site.

Although LastPass says the update should be applied automatically, you should definitely check that you’re running the most up-to-date version of the service’s browser extension, particularly if you’re using a browser which allows you to disable automatic updates for extensions. The bug was patched with version 4.33.0 of the extension. LastPass said that it believed only the Chrome and Opera browsers were affected by the bug, but that it’s deployed the same patch to all browsers as a precaution.

In a statement posted on its blog, LastPass downplayed the severity of the bug. The company’s Security Engineering Manager, Ferenc Kun, said that the exploit relied on a user visiting a malicious site and then being tricked into clicking on the page “several times.” Ormandy nevertheless gave the bug a “High” severity rating. The bug was responsibly disclosed to LastPass before being made public, and there’s no evidence that an exploit was ever deployed on the web.

Despite this bug, using a password manager is still a great measure to take for the sake of your online security. The existence of the bug highlights the fact that password managers, like any online service, can still be susceptible to security problems. As a result, it’s a good idea to add two-factor authentication to any sites that support it, along with using strong unique passwords that you never reuse between services.


Lastpass has had loads of issues similar to this. I really think it’s a terrible password manager in comparison to bitwarden, dashlane or 1password.

The problem is the sheer number of these issues.

Why trust your passwords to something with such poor security history. It doesn’t evoke feelings of confidence.

This is mostly because LP is a huge target. You can expect more issues to be found in your favorite manager if they become more popular.

LastPass has shown time and again to be transparent and very fast to respond to issues. Everyone is going to have security bugs – how you handle them says everything.

The fact that researchers are finding out security problems and they are being fixed right away does not make Lastpass a "terrible password manager", it actually makes it one of the best.

Did you even read the article?

ZDNet reports that the bug was discovered by Tavis Ormandy, a researcher in Google’s Project Zero team, and was disclosed in a bug report dated August 29th. LastPass fixed the issue on September 13th

How is that right away in a case of a possibly critical breach and hits the foundation on which the company is raised on?

No, it’s not. And it really doesn’t matter how you want to spin this. User access and password breach are a high priority cases.

It feels like the main issue with lastpass is that it is a browser plugin, so it sort of live and die by the implementation on browser, which is a very popular attack surface. It’s also a popular password manager because of the free tier allows for all the common use cases… The plus side is there are more people looking at lastpass, so maybe that’s good despite the negative PR.

This is why I don’t trust on password managers… I mean I found them a lazy solution… which is also ok, people just don’t care, they don’t want to memorize passwords…

When you are required to change your password every month, it becomes a hassle to remember it. Password managers are also good for generating random passwords.

I have unique logins to 100s of sites, sorry I’m not going to be able to remember them all.

It’s really just lazy people who are the real problem, because they reuse passwords, not password managers.

LMAO… this comment is laughable.

I have well over a hundred accounts stored in LastPass, each with a unique password. Most are set to at least 16 or more characters and are as complex as the individual sites will allow. You think I’m lazy because I’m not willing to memorize all of them?

You can’t memorize all your credentials without reusing most of them, which is the most terrible solution.

You’re kidding right? Please tell me how you remember 50+ passwords.

Nope. A lazy solution is using the same password on multiple accounts. Just don’t use LastPass they suck

And this is why I still manage my passwords algorithmically. I keep being tempted to use these password managers, but just feel a bit insecure trusting all my passwords to a piece of software.
My algorithm manages to generate unique passwords for each site, but still be visually not obvious how it was obtained.

I use Bitwarden for this reason. At least they are open source and can be vetted by third parties

Stopped using LastPass back in 2015 after their 2 major security incident. This latest one now makes 5. I get it.. LP is popular because its basic tier is free. But there is just something uncomfortable and unassuring about trusting all of my logins, financial accounts, SSN, passport, DL and other most trusted documents to something free.

Not the first time. Why do people use this crap software? I’ve never had an issue with dashlane.

View All Comments
Back to top ↑