Security flaws are never a good thing to encounter, but when those flaws can potentially compromise a password manager, that’s when things get particularly alarming. LastPass has notified users of a flaw with some of its browser extensions which may have allowed certain passwords to be revealed. The good news is that the flaw has already been patched out and that users would have needed to carry out a specific set of actions for their passwords to be compromised.
In a blog post on its website, LastPass says it was first alerted to this bug by Google Project Zero security researcher Tavis Ormandy. Ormandy discovered that when using the LastPass extensions for Chrome and Opera and following a specific series of actions, users could potentially expose one of their stored password.
It’s those actions that mean the number of users impacted by this flaw should be low. “To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times,” LastPass wrote in its blog post. “This exploit may result in the last site credentials filled by LastPass to be exposed. We quickly worked to develop a fix and verified the solution was comprehensive with Tavis.”
LastPass says that it has deployed an update to all browsers (even though only Chrome and Opera were impacted) that fixes this flaw, but it doesn’t actually say what the version number of the updated extensions is. As of September 11th, the Chrome extension is on version 4.33 and the Opera extension is on version 4.33.04, so while it seems likely that’s the fixed version, it’s hard to make that call for sure without a proper changelog.
In any case, LastPass took this opportunity to remind users of some internet security best practices. Among the standard warnings to keep an eye out for phishing attacks and to make sure your computer is malware free, LastPass also encourages users to turn on multi-factor authentication for all important services that offer it and to never reuse their LastPass master password.