LastPass users automatically updated to fix security vulnerability in browser extension

Graham Cluley

LastPass users automatically updated to fix security vulnerability

LastPass users automatically updated to fix security vulnerability

Popular password manager LastPass says that it has fixed a vulnerability in its Chrome and Opera browser extensions that could have potentially seen an attacker steal the username and password filled-in by the software on the previously-visited website.

In other words, you are someone using LastPass, you use LastPass to log into a website, you then visit a malicious webpage that – through some jiggerypokery – tricks the browser extension into serving up the password again.

As the LastPass team explains in its blog post, exploitation of the security hole is not completely straightforward:

“To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times. This exploit may result in the last site credentials filled by LastPass to be exposed.”

Even though there’s no evidence that the flaw was maliciously exploited, it makes sense to patch it.

LastPass version 4.33.0 and later fix the vulnerability, and according to the developers users’ browser extensions will update automatically without any user action required.

If you want to double-check the version number of your LastPass browser extension, click on the LastPass icon in the corner of your browser’s menu, and select the “Tools” option from the submenu.

Lastpass version

Choosing “About LastPass” will then show you the version number and build date of the browser plugin.

Google bug hunter extraordinaire Tavis Ormandy discovered the vulnerability which was in how the browser extension generated pop-up windows, and informed LastPass’s developers.

Details of the flaw were only made public after a security fix was published.

LastPass offers up to $5000 to security researchers who responsibly disclose details of flaws through its bug bounty programme.

Although it can be unsettling to hear about vulnerabilities in password managers as they contain such sensitive data, I continue to believe that the vast majority of users are much safer using a password manager than going without.

And, it should go without saying that users should defend their online accounts with multi-factor authentication and remain wary of suspicious links.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

One Reply to “LastPass users automatically updated to fix security vulnerability in browser extension”

  1. Improve your security by copying your password in plaintext to the clipboard first. Strewth. Good to hear LastPass got the fix in place quickly.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.