Password manager LastPass has released an update last week to fix a security bug that exposes credentials entered on a previously visited site.
The bug was discovered last month by Tavis Ormandy, a security researcher with Project Zero, Google’s elite security and bug-hunting team.
LastPass, believed to be the most popular password manager app today, fixed the reported issue in version 4.33.0, released last week, on September 12.
If users have not enabled an auto-update mechanism for their LastPass browser extensions or mobile apps, they’re advised to perform a manual update as soon as possible.
This is because yesterday, Ormandy published details about the security flaw he found. The security researcher’s bug report walks an attacker through the steps necessary to reproduce the bug.
Attackers could lure users on malicious pages and exploit the vulnerability to extract the credentials entered on previously-visited sites. According to Ormandy, this isn’t as hard as it sounds, as an attacker could easily disguise a malicious link behind a Google Translate URL, trick users into visiting the link, and then extract credentials from a previously visited site.
“I think it’s fair to call this ‘High’ severity, even if it won’t work for *all* URLs,” Ormandy said.
Since the vulnerability was discovered and then privately reported by Google, there’s no reason to believe the bug has been exploited in the wild. A LastPass spokesperson did not return a request for comment.
Don’t abandon password managers because of a fixable bug
Like any other applications, password managers are sometimes vulnerable to bugs, which are in all cases eventually fixed.
Despite this vulnerability, users are still advised to rely on a password manager whenever they can. Using a password manager is many times better than leaving passwords stored inside a browser, from where they can be easily extracted by forensic tools and malware.
LastPass’ efficiency in keeping passwords away from prying eyes was proven this summer when the company couldn’t answer legal demands from the US Drug Enforcement Administration (DEA).
The company was told by cops to hand over information on a user, such as passwords and home address, but the company couldn’t comply with the order because the data was encrypted and they couldn’t access it.