Passwords are the first and last line of defense against getting hacked, which is why users are strongly advised to use strong and different passwords for each service. Keeping track of those, however, is more than our little brains can handle, which is why password managing services have thrived. But what if those services themselves become vulnerable? That was the situation LastPass found itself in when its web extensions were discovered to be exploitable and can be used to trick users into giving away their passwords. The good news is that LastPass has already addressed those issues, but should still serve as a warning to everyone.
Aside from simply remembering the passwords you made up (or were suggested by the app), LastPass and its kin offer some conveniences as well. Particularly, it has autofill features that automatically fill in login or other details depending on what website you’re viewing. Sadly, however, those very conveniences are at the root of two rather disturbing security holes.
There were two reported exploits involving LastPass’ browser extensions. One directly affected that autofill feature, the other a specific extension for Firefox browsers. The autofill exploit allowed a hacker to quickly gain access to a user’s password for a particular site or service (like, say, twitter.com) by using a cunningly crafted URL. The Firefox browser extension, on the other hand, allows hackers to run LastPass actions in the background without users knowing it, actions like deleting passwords. In both cases, users will have to be lured into visiting malicious websites.
LastPass reports that both holes were plugged up immediately when they were reported. It is still a frightening anecdote to how even password managers aren’t free from such vulnerabilities and should be even more subjected to scrutiny and research. LastPass also recommends some best practices to keep in mind even when using their service. Mathias Karlsson, who reported the autofill bug, also recommends disabling autofill features entirely, with LastPass or others.