LastPass Patches Bug Leaking Last-Used Credentials

Last UsedCredentials

A vulnerability recently addressed in LastPass could be abused by attackers to expose the last site credentials filled by LastPass.

A freemian password manager, LastPass shops encrypted passwords online with a web interface, internet browser plug-ins and smartphone applications.

The recent patched vulnerability affected Chrome and Opera browser extensions and could only be exploited under certain conditions, claims LastPass. The attacker could take advantage of the defect to generate a jack situation.

The user needs to fill in a password via the LastPass icon and then visit a compromise or malicious website. The intruder would also have to trick the user several times to click on the page.

“This exploit can result in the last LastPass website credentials being exposed,” describes LastPass.

Tavis Ormandy was the safety investigator in Google Project Zero who discovered the vulnerability and reported it to LastPass. The researcher says the defect is high severity, even if it does not work for all URLs.

On September 12, LastPass released a patch in the form of version 4.33.0/v4.33.4. All browser extensions are automatically updated and there is no need for user interaction.

“We worked rapidly to create a fix and checked the solution with Tavis was thorough,” LastPass notes.

LastPass also proposes a number of best practice methods such as avoiding clicking on connections from unknown sources, enabling multi-factor authentication for LastPass and for other facilities (bank, e-mail, Twitter, Facebook, etc.), preventing reuse or disclosure of the master LastPass password, the use for every account of distinctive passwords and antivirus program.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.