When using a password manager, the last thing you need is for your passwords to be leaked through a critical bug in the program. Bugs have been found in LastPass, in both Chrome and Firefox add-ons. The password manager LastPass needs to patch major security flaws that allow malicious websites to steal passphrases from millions of victims.
Tavis Ormandy, a professional hacker working for Google’s crack Project Zero security team, found the programming issues with LastPass. He discovered that it’s possible to exploit the Chrome extension content script. Web pages with malicious software can easily attack through LastPass, extracting usernames and passwords. Clearly, this is a huge problem, as this allows hackers to gain access to almost anything people are using the password manager for.
The passwords and usernames stored by LastPass are stored in the cloud. When you use LastPass and visit any sites you have saved passwords for, LastPass will automatically fill out login information for you. This makes it easy to surf the net without having to worry about remembering passwords. The problem is, now that the system can be easily hacked, your passwords are accessible to anyone trying to steal them.
Ormandy further showed that it’s possible to use the script and perform commands on the computer of the victim, making it possible for the website to put malware on the computer. This malware installation only works for computer users who have installed the binary component of LastPass.
Joe Siegrist, co-founder and VP of LastPass stated, “We greatly appreciate the work of the security community to challenge our product and uncover areas that need improvement.”
Thanks to the quick work of Ormandy, LastPass was able to fix the problems with the software and encourages all users to always keep up with updates so that their system is always running with the latest software version.
Ormandy then discovered another problem for LastPass software engineers. He found that there is a further vulnerability in the Firefox extension. It’s a similar vulnerability, as dangerous web pages can get passwords and steal critical information. While the bug has been addressed, the security patch has to be approved by Firefox. It is in the Mozilla review process and will be out to users shortly.
LastPass is making it clear that bugs have been patched to avoid malicious websites from stealing passwords. LastPass is encouraging all users to make sure they are running the most recent version of the software and to update all extensions if the software doesn’t do it automatically.
LastPass states that the most current versions of their software are 4.1.36 with Firefox, 220.127.116.11 with Chrome, 4.1.30 with Edge, and 4.1.28 with Opera.