Google warns users of popular password manager Lastpass that dangerous bug may have exposed their credentials
- Users of the password manager, Lastpass, were alerted to a dangerous bug
- A flaw allowed potential hackers to steal passwords from sites previously viewed
- The bug has since been fixed and there is no record of it being exploited
- Researchers say using password managers is still advisable
A flaw in the free password manager, Lastpass, could have exposed the credentials of the service’s more than 16 million users.
In a tweet from Security researchers at Google’s Project Zero team, the analysts describe how, by embedding a website with malicious code, a hacker could trick Lastpass into divulging the password of previously visited websites.
Though the bug, originally reported on August 29, has since been patched, a flaw in Lastpass is notable given how many users — including 58,000 businesses according to Forbes — rely on the service.
Lastpass was found to be exploitable using malicious code. By getting a user to visit an infected link, a hacker could potential steal passwords from previously visited sites. File photo
‘LastPass could leak the last used credentials due to a cache not being updated,’ tweeted Tavis Ormandy, a vulnerability researcher at Google.
‘This was because you can bypass the tab credential cache being populated by including the login form in an unexpected way!’
Ormandy rated the severity of the bug as ‘high’ due to the fact that an exploit could have been leveraged by simply directing a user to a specific web page via, for example, disguising a link in a Google Translate pop-up.
Despite the apparent risks of the bug, Lastpass took issue with Ormandy’s rating in a statement posted to the service’s web page.
‘To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times,’ said Ferenc Kun, the security engineering manager for LastPass.
‘This exploit may result in the last site credentials filled by LastPass to be exposed. We quickly worked to develop a fix and verified the solution was comprehensive with Tavis.’
Lastpass updated its code on September 13 and according to the company the fix is automatic, meaning users aren’t required to manually initiate an update.
Despite the occasional flaw, security researchers still highly recommend using password managers to help guard against hackers.
According to White Hat hacker, John Opdenakker, the biggest culprit behind security breaches is often the fact that either one’s password is too weak and/or that a password has been used repeatedly across multiple accounts.
‘If your password management practices consist of reusing passwords (which is a no go) you’re far better off using a tool to manage strong and unique passwords for your user accounts,’ writes the researcher in a helpful blog post.
HOW CAN LASTPASS USERS AVOID BEING HACKED?
The password manager Lastpass was discovered to contain a flaw that potentially allowed hackers to scrape passwords from previously visited sites.
While there’s no evidence that the flaw was actually exploited, Lastpass offered several suggestions to its users in order to protect their security:
- Beware of phishing attacks. Do not click on links from people you don’t know, or that seem out of character from your trusted contacts and companies.
- Always enable MFA for LastPass and other services like your bank, email, Twitter, Facebook, etc. Adding additional layers of authentication remains the most effective way to protect your account.
- Never reuse your LastPass master password and never disclose it to anyone, including us.
- Use different, unique passwords for every online account.
- Keep your computer malware-free by running antivirus with the latest detection patterns and keeping your software up-to-date.
– via Lastpass