Password Manager LastPass Patches 2 Major Bugs


LastPass on Wednesday pushed a software update to Firefox users following reports of security vulnerabilities.

Marketing manager Amber Gott pointed to a pair of unrelated bugs that left the LastPass Firefox browser extension open to attack.

On Tuesday, Google Security Team researcher Tavis Ormandy reported a message-hijacking bug targeting the LastPass Firefox add-on. If a hacker lured a LastPass user to a malicious website, he or she "could then execute LastPass actions in the background without the user's knowledge, such as deleting items."

The issue, which only affected Firefox users running LastPass 4.0 or later, was fixed by Wednesday.

The other bug, a URL-parsing bug discovered by security researcher Mathias Karlsson, could be used to trick the password manager into sharing codes for specific sites. Someone on their way to Facebook, for example, may click a spoof URL that steals their passwords before logging them into the real social network.

LastPass patched the exploit more than a year ago, and gave Karlsson a $1,000 bounty for his help.

"As always, we appreciate the work of the security community to challenge our product and ensure we deliver a secure service for our users," Gott said, thanking Karlsson and Ormandy, "and others in the security community," for their disclosures.

"We value their work that helps us build a stronger, more secure product," she added.

Despite LastPass's updates, users should follow some general best practices for online security. That includes remaining alert and steering clear of possible phishing attacks, using a different and unique password for every online account, and turning on two-factor authentication when possible.

The password manager also suggests creating a strong master code for LastPass, and running antivirus software on a regular basis.

0 Comment

Leave a Reply

Captcha image


  • 5300c769af79e

    The Show: Episode 110 - Damn, Google I/O

    Since we ran out of time last week, thanks to travel schedules and all that, it’s time to recap Google I/O 2016 on the DL Show.After a weekend off, we’ve had time to fully digest all that Google announced, which should mean more well-rounded thoughts, or something, right?
  • 5300c769af79e

    How Enterprises Are Attacking the IT Security Enterprise

    Download Information Security professionals have been making hard choices on the fly for some time, but the unrelenting nature of attacks and threats to users have raised the stakes.To learn more about what organizations are doing to tackle these threats, InformationWeek and Dark Reading, sponsored by VMware®, surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats.
  • 5300c769af79e

    DEAL: Samsung 256GB EVO Select MicroSD Card Drops to $159 Today ($40 Off)

    The 256GB Samsung EVO Select microSD card has just $159.99, which is a $40 discount from its normal $200 price.
  • 5300c769af79e

    Microsoft Bing Malware Alerts Get More Specific

    Join InformationWeek and a team of industry experts on June 15 for a unique virtual event where yo Microsoft has updated Bing phishing and malware warnings to give more detailed information on specific user threats.The search engine will now tell users and webmasters about specific problems on each suspicious website.