Password-manager LastPass has fixed a critical bug that could have been used to leak last used credentials. The bug was discovered last month, and a bug report has now been published for the public. The report published by Tavis Ormandy, a security researcher with Project Zero, Google's security and bug-hunting team, pegs the bug to be ‘highly severe' and potentially exploitable. Because the report details the necessary steps to reproduce the vulnerability, it is important that all users update to version 4.33.0. LastPass issued a fix for the bug with this new version last week.
As mentioned, the password manager's vulnerability was discovered by Ormandy and privately reported to the company last month. LastPass issued an update last week, and now Google has made the bug report public. It details a step by step process by which the bug can be reproduced and misused, and the report can be found on the company site. The flaw in the browser extension of its password manager software created a clickjacking risk. It essentially produced a way for malicious sites to trick LastPass users into disclosing the credentials of a site they had previously visited. Ormandy tweeted that LastPass could leak the last used credentials due to a cache not being updated.
In its defence, LastPass issued an advisory. “To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times. This exploit may result in the last site credentials filled by LastPass to be exposed. We quickly worked to develop a fix and verified the solution was comprehensive with Tavis,” the post explained.
The company further says that no user action is required and your LastPass browser extension will update automatically. However, we do recommend all users to double check if they are on the latest update version 4.33.0, to be absolutely sure they are safe from any potential threats. These developments were first reported by ZDNet.
As the bug was discovered in private and fixed, there's no reason to believe that it may have been exploited in the wild or misused. In any event, we do not recommend against using password managers. They enable users to have unique passwords for different websites, and are critical tools for staying safe because the most annoying thing about the internet is passwords, and remembering them. However, we do recommend keeping a regular check on software updates, and staying up-to-date on that front.