LastPass fixes critical browser extension bugs

By on
LastPass fixes critical browser extension bugs

Researcher says password managers are still safer than recycling.

Popular credentials management application LastPass has pushed out a fix for bugs that could leak user passwords to malicious sites, and run the program in the background without user interaction.

The first issue, discovered a year ago by Detectify Labs security researcher Mathias Karlsson, involves a bug in the uniform resource locator (URL) parser in the LastPass browser extension that could be exploited to reveal user credentials to attackers.

The bug would allow attackers to trick the program into thinking it is on a specific site and automatically fill login and other credentials.

Karlsson said the flaw shouldn't deter people from using password managers, arguing they are still a better option than recycling login credentials.

He recommended turning off the autofilling of credentials in password managers, however, as the feature has been shown to be vulnerable to cross-scripting exploits in the past.

Karlsson earnt a US$1000 (A$1334) bug bounty for his discovery.

Separately to Karlsson, Google's Project X researcher Tavis Ormandy yesterday claimed on Twitter that he had discovered "a bunch of obvious critical problems", one of which could be used for a full remote compromise of Lastpass.

LastPass said the vulnerability Ormandy discovered is in the Firefox web browser password manager add-on, and if successfully exploited, could be used to run LastPass in the background without a users knowledge.

This message hijacking flaw discovered by Ormandy could be used to delete items, but LastPass said attackers would need to trick users into visiting a malicious website first.

However, Ormandy said that wasn't the case, and the attacks he outlined required no such subterfuge.

LastPass thanked the researchers for their responsible disclosure of the vulnerabilities, both of which have been patched in version 4.0 of the credentials manager.

The company also warned users to be wary of phishing attacks, and not to click on links from people they don't know or URLs that seem out of character in messages from trusted contacts.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © . All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?