LastPass fixes critical browser extension bugs

By on
LastPass fixes critical browser extension bugs

Researcher says password managers are still safer than recycling.

Popular credentials management application LastPass has pushed out a fix for bugs that could leak user passwords to malicious sites, and run the program in the background without user interaction.

The first issue, discovered a year ago by Detectify Labs security researcher Mathias Karlsson, involves a bug in the uniform resource locator (URL) parser in the LastPass browser extension that could be exploited to reveal user credentials to attackers.

The bug would allow attackers to trick the program into thinking it is on a specific site and automatically fill login and other credentials.

Karlsson said the flaw shouldn't deter people from using password managers, arguing they are still a better option than recycling login credentials.

He recommended turning off the autofilling of credentials in password managers, however, as the feature has been shown to be vulnerable to cross-scripting exploits in the past.

Karlsson earnt a US$1000 (A$1334) bug bounty for his discovery.

Separately to Karlsson, Google's Project X researcher Tavis Ormandy yesterday claimed on Twitter that he had discovered "a bunch of obvious critical problems", one of which could be used for a full remote compromise of Lastpass.

LastPass said the vulnerability Ormandy discovered is in the Firefox web browser password manager add-on, and if successfully exploited, could be used to run LastPass in the background without a users knowledge.

This message hijacking flaw discovered by Ormandy could be used to delete items, but LastPass said attackers would need to trick users into visiting a malicious website first.

However, Ormandy said that wasn't the case, and the attacks he outlined required no such subterfuge.

LastPass thanked the researchers for their responsible disclosure of the vulnerabilities, both of which have been patched in version 4.0 of the credentials manager.

The company also warned users to be wary of phishing attacks, and not to click on links from people they don't know or URLs that seem out of character in messages from trusted contacts.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
bugslastpasssecurity

Sponsored Whitepapers

Responding To Industry Trends And Our 5m+ Users
Responding To Industry Trends And Our 5m+ Users
The Future of Digital Identity in Government
The Future of Digital Identity in Government
Secure Public Services for Every Australian
Secure Public Services for Every Australian
7½ Questions for Aged Care's Digital Decisions
7½ Questions for Aged Care's Digital Decisions
Creating the Sustainable IT Department
Creating the Sustainable IT Department

Most Read Articles

Australia appoints first cyber security coordinator

Australia appoints first cyber security coordinator
Apple rushes out patches for exploited zero day bugs

Apple rushes out patches for exploited zero day bugs
Perpetual 'extended outage' caused by security incident at third-party

Perpetual 'extended outage' caused by security incident at third-party
Exploit emerges for Cisco VPN client vulnerability

Exploit emerges for Cisco VPN client vulnerability

Digital Nation

How eBay uses interaction analytics to improve CX
How eBay uses interaction analytics to improve CX
Health tech startup Kismet raises $4m in pre-seed funding
Health tech startup Kismet raises $4m in pre-seed funding
More than half of loyalty members concerned about their data
More than half of loyalty members concerned about their data
COVER STORY: The opportunities and risks of cybersecurity insurance in Australia
COVER STORY: The opportunities and risks of cybersecurity insurance in Australia
DeepAI founder on the risks of artificial intelligence
DeepAI founder on the risks of artificial intelligence

Log In

  |  Forgot your password?