Last week, researcher Tavis Ormandy from Google Project Zero found and published a vulnerability in The LastPass browser extension. The vulnerability affects the Chrome and Opera extensions and could allow a malicious server to capture LastPass credentials. Neither LastPass nor Project Zero released details on how this exploit works but by reviewing the notes from Project Zero we believe an attacker could use the cached credentials from another browser tab to fool the extension into auto filling the wrong password. According to LastPass the exploit requires multiple user clicks, meaning the exploit can’t retrieve your password on the first web page load.
A password manager like LastPass creates an extremely valuable target for hackers and any exploit not immediately resolved could cause massive damages. LastPass updated to 4.33.0 to resolve this exploit on all browsers even though the exploit only affected Chrome and Opera configurations. By default, the LastPass extension should update automatically without any user action but it’s possible for users to disable this behavior. In Chrome you can check the LastPass version by right clicking the LastPass icon and select Manage extensions, or in Opera by following these instruction.
Password managers create better security for everyone but do have some drawbacks like creating a high-value target. Ensure you keep any password manager you use updated.
Leave a Reply