LastPass patches up two major vulnerabilities
No product is flawless, even those password managers you use. LastPass has its own issues to deal with, including two major security exploits from the program’s browser extensions. The good thing is these have been patched already. The company released an update regarding both bugs. One is an exploit discovered by researcher Mathias Karlsson where a URL parsing bug could be used to trick LastPass into divulging passwords for specific sites. You might accidentally click on the spoof URL and think you’re off to Twitter but this malicious page is already stealing your passwords and then quietly pass you on to the social network without knowledge that this happened. It took LastPass a day to resolve this and even gave Karlsson a US$1,000 bounty for the discovery.
Another bug was an exploit found by Google Security Team researcher Travis Ormandy. This affects the Firefox extension but thankfully, this has been fixed, too. What this could do is lure you to a malicious site and then have the site execute LastPass actions to do things like delete items without your knowledge. LastPass is dishing out some important reminders to its users with these discoveries: don’t click links from people you don’t know, use different passwords for different accounts, and if there’s two-factor identification make sure to activate that.
Reader Comments