Windows 10 News and info | Forum
December 10, 2019, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
 
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
  Print  
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: LastPass bug leaks credentials from previous site  (Read 63 times)
javajolt
Administrator
Hero Member
*****
Offline Offline

Gender: Male
United States United States

Posts: 30789


I Do Windows


WWW Email
« on: September 17, 2019, 12:28:12 AM »
ReplyReply

Password manager LastPass has released an update last week to fix a security bug that exposes credentials entered on a previously visited site.

The bug was discovered last month by Tavis Ormandy, a security researcher with Project Zero, Google's elite security and bug-hunting team.

Fix Available

LastPass believed to be the most popular password manager app today, fixed the reported issue in version 4.33.0, released last week, on September 12. In a blog post, the company said the bug only impacts its Chrome and Opera browser extensions.

If users have not enabled an auto-update mechanism for their LastPass browser extensions, they're advised to perform a manual update as soon as possible.

This is because yesterday, Ormandy published details about the security flaw he found. The security researcher's bug report walks an attacker through the steps necessary to reproduce the bug.

Since the bug relies on executing malicious JavaScript code alone, with no other user interaction, the bug is considered dangerous and potentially exploitable.

Attackers could lure users on malicious pages and exploit the vulnerability to extract the credentials users had entered on previously-visited sites. According to Ormandy, this isn't as hard as it sounds, as an attacker could easily disguise a malicious link behind a Google Translate URL, trick users into visiting the link, and then extract credentials from a previously visited site.

"I think it's fair to call this 'High' severity, even if it won't work for *all* URLs," Ormandy said.

Since the vulnerability was discovered and then privately reported by Google, there's no reason to believe the bug has been exploited in the wild. A LastPass spokesperson did not return a request for comment.

Don't Abandon Password Managers Because Of A Fixable Bug

Like any other applications, password managers are sometimes vulnerable to bugs, which are in all cases eventually fixed.

Despite this vulnerability, users are still advised to rely on a password manager whenever they can. Using a password manager is many times better than leaving passwords stored inside a browser, from where they can be easily extracted by forensic tools and malware.

LastPass' efficiency in keeping passwords away from prying eyes was proven this summer when the company couldn't answer legal demands from the US Drug Enforcement Administration (DEA).

The company was told by cops to hand over information on a user, such as passwords and home address, but the company couldn't comply with the order because the data was encrypted and they couldn't access it.

source
« Last Edit: September 17, 2019, 03:43:15 AM by javajolt » Logged


Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page November 05, 2019, 10:03:48 AM