Mathias Karlsson, a security researcher at Detectify Labs, writes:
Stealing all your passwords by just visiting a webpage. Sounds too bad to be true? That’s what I thought too before I decided to check out the security of the LastPass browser extension.
In his article, Karlsson explains how he was able to trick LastPass into believing that it was on the real Twitter website, and cough up the users’ credentials because of a bug in the LastPass password manager’s autofill functionality.
The same technique could have been used to steal passwords associated with other websites.
The good news is that Karlsson believes in responsible disclosure, and so informed LastPass of the problem. In more good news LastPass fixed the issue in less than a day (and awarded Karlsson a $1,000 bug bounty for his efforts).
Karlsson recommends that LastPass users disable the autofill functionality and enable multi-factor authentication for better security.
Although his discovery is troubling, I agree with Karlsson when he points out that using a password manager is still better than reusing passwords on different websites.
PS. Well-known vulnerability researcher Tavis Ormandy has also tweeted overnight that he has also found a flaw in LastPass.