Popular password manager LastPass says that it has fixed a vulnerability in its Chrome and Opera browser extensions that could have potentially seen an attacker steal the username and password filled-in by the software on the previously-visited website.
In other words, you are someone using LastPass, you use LastPass to log into a website, you then visit a malicious webpage that – through some jiggerypokery – tricks the browser extension into serving up the password again.
As the LastPass team explains in its blog post, exploitation of the security hole is not completely straightforward:
“To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times. This exploit may result in the last site credentials filled by LastPass to be exposed.”
Even though there’s no evidence that the flaw was maliciously exploited, it makes sense to patch it.
LastPass version 4.33.0 and later fix the vulnerability, and according to the developers users’ browser extensions will update automatically without any user action required.
If you want to double-check the version number of your LastPass browser extension, click on the LastPass icon in the corner of your browser’s menu, and select the “Tools” option from the submenu.
Choosing “About LastPass” will then show you the version number and build date of the browser plugin.
Google bug hunter extraordinaire Tavis Ormandy lastpass users automatically updated security vulnerability browser extension
