Home Security A LastPass Vulnerability Leaked Login Credentials – Update Now!

A LastPass Vulnerability Leaked Login Credentials – Update Now!

by

LastPass is a popular password manager that has earned credibility owing to its efficiency. Nonetheless, like any other software, it is also prone to security flaws. Recently, a researcher has discovered a vulnerability in password manager LastPass. The flaw, upon exploit, could expose login credentials of previously visited websites.

LastPass Vulnerability Leaking Credentials

Reportedly, Tavis Ormandy of Google Project Zero has discovered a bug in the popular password manager LastPass. This LastPass vulnerability could expose the credentials of last visited sites.

Describing the vulnerability in a Chrome bug report, the researcher stated that a vulnerability to clickjacking could expose site credentials.

I noticed that you can create a popup without calling do_popupregister() by iframing popupfilltab.html (i.e. via moz-extension, ms-browser-extension, chrome-extension, etc). It’s a valid web_accessible_resource.
Because do_popupregister() is never called, ftd_get_frameparenturl() just uses the last cached value in g_popup_url_by_tabid for the current tab. That means via some clickjacking, you can leak the credentials for the previous site logged in for the current tab.

The researcher also shared ways to reproduce the flaw. Though, it didn’t work for all websites, yet, the researcher deemed it a high-severity bug as the exploit requires no user interaction.

Patch Available

After discovering the bug, Ormandy privately reported it to Google. Hence, there seems no active exploitation of the vulnerability.

Following the report, the latest version of LastPass is out with the patch. Users should ensure updating the product version to LastPass 4.33.0.

This isn’t the first time that LastPass has a security flaw. Numerous vulnerabilities were reported in the tool in the previous years as well. Nonetheless, such incidents do not really blur the importance of LastPass as an effective password manager. Especially, keeping in mind the growing incidents of credential stuffing and password hacks, it is imperative to keep your accounts secure with a robust password manager like LastPass.

Let us know your thoughts in the comments.

The following two tabs change content below.

Avatar
Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]
Avatar

Source link

Related Articles

Leave a Comment

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More