After a Google Project Zero disclosure, LastPass has fixed a high severity bug in some of its extensions. The flaw let a malicious site access the username and password from their previous auto-filled login, should they click several times.
“To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times,” explained LastPass in a blog post. “This exploit may result in the last site credentials filled by LastPass to be exposed. We quickly worked to develop a fix and verified the solution was comprehensive with Tavis.”
As you’d expect, security is incredibly important in a password manager. Full access to someone’s vault of passwords would give a hacker access to every account they own. Thankfully, this exploit was limited to the last-filled site, but it could still cause exposure of banking or email credentials. If a user used the password for multiple sites, the effect would be more severe.
An attacker could perform a ‘clickjacking’ attack via a specially crafted script on their website. This could pull information from the user’s credential cache due to it not being properly updated.
LastPass security engineering manager Ferenc Kun says users don’t have to take action to be protected against the vulnerability. Their extension should have updated automatically, with a solution rolling out to all browsers, despite the vulnerability being limited to Chrome and Opera.
That said, web users may want to check their LastPass version manually to make sure. You’ll want to be on version 4.33 or later to ensure you have the fix. As Ormandy of the Project Zero team has discovered several bugs in LastPass over the past few years, it’s always a good idea to keep automatic updates on.