LastPass’s bug reported leaking credentials from previous sites

https://f002.backblazeb2.com/b2api/v1/b2_download_file_by_id?fileId=4_za8a2358db1d7f91b68b30916_f10078378155f0524_d20190917_m060940_c002_v0001127_t0044

The Last pass, is quite a popular password manager app in today’s time. Password manager LastPass very recently came out with an update to fix a security bug that is said to expose credentials entered on a previously visited site. This bug was found out by Tavis Ormandy, who is a security researcher with Project Zero; Google’s elite security and bug-hunting team. It’s been reported that LastPass has fixed the reported issues in the version 4.33.0, which was released last week. Users are highly advised to enable an auto-update for their LastPass browser extensions or go for a quick manual update.
 

The bug founded is seen as a dangerous and exploitable one, for it majorly relies on executing malicious JavaScript alone, with no such other user interaction. This makes it easy for the attackers to extract the credentials entered previously on the visited sites. Ormany goes on to say “I think it’s fair to call this ‘High’ severity, even if it won’t work for ‘all’ URLs”.

 

 However, one shouldn’t be afraid of using this app or for that matter afraid of using one’s preferred password manager. Here are quick recommendations from Lastpass security:

 * It is advised to not click on links from people you don’t know, or the ones that seem out of character from your trusted contacts and companies.

* Make sure to enable Multi-Factor Authentication for LastPass and other services such as a bank, email, Twitter, Facebook, etc.

* Be careful and never reuse your LastPass master passcode and never disclose it to anyone, including us as well.

* It is highly recommended to use different, unique passwords for every online account.

* Lastly, make sure you keep your computer malware-free by running antivirus with the latest detection arrangements and keeping your software up-to-date. 

Leave a Reply