LastPass has patched a bug that would have allowed a malicious website to extract a previous password entered by the service’s browser extension. ZDNet reports that the bug was discovered by Tavis Ormandy, a researcher in Google’s Project Zero team, and was disclosed in a bug report dated August 29th. LastPass fixed the issue on September 13th, and deployed the update to all browsers where it should be applied automatically, something LastPass users would be smart to verify.
The bug works by luring users onto a malicious website, and fooling the browser extension to use a password from a previously visited website. Ormandy notes that attackers could use a service like Google Translate to disguise a malicious URL and trick vulnerable users into visiting a rogue site.
Although LastPass says the update should be applied automatically, you should definitely check that you’re running the most up-to-date version of the service’s browser extension, particularly if you’re using a browser which allows you to disable automatic updates for extensions. The bug was patched with version 4.33.0 of the extension. LastPass said that it believed only the Chrome and Opera browsers were affected by the bug, but that it’s deployed the same patch to all browsers as a precaution.
In a statement posted on its blog, LastPass downplayed the severity of the bug. The company’s Security Engineering Manager, Ferenc Kun, said that the exploit relied on a user visiting a malicious site and then being tricked into clicking on the page “several times.” Ormandy nevertheless gave the bug a “High” severity rating. The bug was responsibly disclosed to LastPass before being made public, and there’s no evidence that an exploit was ever deployed on the web.
Despite this bug, using a password manager is still a great measure to take for the sake of your online security. The existence of the bug highlights the fact that password managers, like any online service, can still be susceptible to security problems. As a result, it’s a good idea to add two-factor authentication to any sites that support it, along with using strong unique passwords that you never reuse between services.