Vulnerability on LastPass allows malicious websites to extract user passwords

LastPass fixes an error that causes a malicious website to extract the previous password entered by the service browser extension. The vulnerability was found by Tavis Ormandy, a researcher at Google’s Project Zero team, and disclosed in a vulnerability report on August 29. LastPass fixed the issue on September 13 and deployed the update to the LastPass extension for all browsers.

“LastPass Rebrand” by Alex Hsiao is licensed under CC BY-NC-ND 4.0

The vulnerability works by enticing a user to enter a malicious website and tricking the browser extension into using a previously visited website password. Ormandy pointed out that attackers can use services such as Google Translate to disguise malicious website addresses and entice vulnerable users to visit rogue websites.

Although LastPass says the patch should be updated automatically, you must check to see if your LastPass extension is up to date, especially if you are using a browser that allows you to disable extended automatic updates. After this update, the version number of the LastPass browser extension is 4.33.0. LastPass said it believes that only Chrome and Opera browsers are affected by this vulnerability, but it still uses strict precautions, and it has deployed the same patch for all browsers in the LastPass extension.

Via: ZDNet