LastPass has fixed a security bug that could have exposed user credentials entered on the last visited website. Users are advised to confirm they are running the patched up, latest version 4.33.0 of the software.
Google Project Zero has revealed that the password manager LastPass carried a massive security exploit that could enable attackers to lure unsuspecting users to fill a password using the LastPass icon on a website and then visit a compromised website.
Earlier today, Tavis Ormandy of the Project Zero tweeted that "LastPass could leak the last used credentials due to a cache not being updated." Ormandy added that this happened "because you can bypass the tab credential cache being populated by including the login form in an unexpected way!"
Ferenc Kun, the security engineering manager for LastPass, said in a statement that "a limited set of circumstances on specific browser extensions" could potentially allow attackers to create a clickjacking scenario. Kun added:
To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times. This exploit may result in the last site credentials filled by LastPass to be exposed.
LastPass password manager makers have also shared some recommendations for users
- Beware of phishing attacks. Do not click on links from people you don’t know, or that seem out of character from your trusted contacts and companies.
- Always enable MFA for LastPass and other services like your bank, email, Twitter, Facebook, etc. Adding additional layers of authentication remains the most effective way to protect your account.
- Never reuse your LastPass master password and never disclose it to anyone, including us.
- Use different, unique passwords for every online account.
- Keep your computer malware-free by running antivirus with the latest detection patterns and keeping your software up-to-date.
LastPass has said that no user action is required and the browser extension will be updated automatically.