Password-manager LastPass has fixed an important bug that can be used to leak the last used credentials. The bug was discovered last month, and now a bug report has been published for the public. The report, published by Tavis Ormondi, a security researcher with Project Zero, Google’s security and bug-hunting team, prepares the bug to be ‘highly serious’ and potentially exploitative. Since the report details the steps required to reproduce the vulnerability, it is important that all users update to version 4.33.0. LastPass released a fix for the bug with this new version last week.
As noted, the password manager’s vulnerability was discovered by Ormondi and the company was reported privately last month. LastPass released an update last week, and now Google has made the bug report public. It details a step-by-step process by which bugs can be reused and misused, and reports can be found on the company’s site. A flaw in the browser extension of its password manager software posed a clickjacking risk. This essentially paves the way for malicious sites to trick LastPass users into revealing the credibility of the site they previously visited. Ormandy tweeted that LastPass could leak the last used credentials due to not having a cache update.
In his defense, LastPass issued an advisory. “To take advantage of this bug, LastPass will require a number of actions to be performed, including tricking the user into filling in a password with the LastPass icon, then visiting a compromised or malicious site, and finally clicking on the page. This exploit may result in credentials filled by the last site LastPass. We quickly worked to develop a fix and verified that the solution was comprehensive with Tavis, ”Post explained.
The company further states that no user action is required and your LastPass browser extension will be automatically updated. However, we advise all users to check that if they are on the latest update version 4.33.0, to ensure that they are protected from any possible threats. These developments were first reported by ZDNet.
As the bug was discovered to be private and definitive, there is no reason to believe that it may have been used in the wild or misused. In any event, we do not recommend against using password managers. They enable users to have unique passwords for various websites, and are important tools to stay safe because the most annoying thing about the Internet is passwords, and remembering them. However, we recommend keeping a regular check on software updates and keeping up to date on that front.