Password Manager LastPass Patches 2 Major Bugs


LastPass on Wednesday pushed a software update to Firefox users following reports of security vulnerabilities.

Marketing manager Amber Gott pointed to a pair of unrelated bugs that left the LastPass Firefox browser extension open to attack.

On Tuesday, Google Security Team researcher Tavis Ormandy reported a message-hijacking bug targeting the LastPass Firefox add-on. If a hacker lured a LastPass user to a malicious website, he or she "could then execute LastPass actions in the background without the user's knowledge, such as deleting items."

The issue, which only affected Firefox users running LastPass 4.0 or later, was fixed by Wednesday.

The other bug, a URL-parsing bug discovered by security researcher Mathias Karlsson, could be used to trick the password manager into sharing codes for specific sites. Someone on their way to Facebook, for example, may click a spoof URL that steals their passwords before logging them into the real social network.

LastPass patched the exploit more than a year ago, and gave Karlsson a $1,000 bounty for his help.

"As always, we appreciate the work of the security community to challenge our product and ensure we deliver a secure service for our users," Gott said, thanking Karlsson and Ormandy, "and others in the security community," for their disclosures.

"We value their work that helps us build a stronger, more secure product," she added.

Despite LastPass's updates, users should follow some general best practices for online security. That includes remaining alert and steering clear of possible phishing attacks, using a different and unique password for every online account, and turning on two-factor authentication when possible.

The password manager also suggests creating a strong master code for LastPass, and running antivirus software on a regular basis.

0 Comment

Leave a Reply

Captcha image


  • 5300c769af79e

    Google Calendar's New "Find a Time" Feature Makes Meeting Creation a Breeze

    With the new Find a Time feature in the Calendar app, scheduling a meeting that works with everyone’s schedule is made very simple, even if one party is in a different time zone.Limited to those using Google Apps for Work and Google Apps for Education, as sharing schedules is the norm in some lines of work, Find a Time works to locate the best possible time for a meeting where everyone is free.
  • 5300c769af79e

    Salesforce ROI: What It Means For IT

    The white paper, "The ROI of Building Apps on Salesforce," should be taken with a grain of salt since Salesforce sponsored it.It now includes the more open source-oriented Heroku development platform as well, running on Amazon Web Services, but accessed through the same Saleforce development platform.
  • 5300c769af79e

    Amazon Builds Fulfillment Centers, Investors Grouse

    The company's stock had closed at $818.5 billion in the fourth quarter, or anywhere from 17 percent to 27 percent above year-ago figures, Amazon said.
  • 5300c769af79e

    HPE Reportedly Considers Going Private

    They are empowered Has HPE put itself or its software business up for sale?Multiple reports note that a group of private equity companies are interested in buying the software business, or taking the entire company private.