In the popular password manager LastPass, a major security flaw has recently been patched. An error was found in the browser extension that allowed the crafted page to access the credentials used.
Short information on this topic has recently appeared on the LastPass blog. The developers explain that the bug has been resolved by the update and the users are now secure. They also suggest that in practice the use of error was unlikely because several conditions had to be met.
LastPass could leak the last used credentials due to a cache not being updated. This was because you can bypass the tab credential cache being populated by including the login form in an unexpected way! https://t.co/bfLdDzSWS5
– Tavis Ormandy
First of all, the LastPass user would have to use the form completion after clicking on the extension icon, and secondly – to hit the infected site and be successfully persuaded to at least a few clicks there. The developers add that the vulnerability affected only Chrome and Opera extensions, but all program variants have been prevented.
A vulnerability in LastPass was discovered and reported by Tavis Ormanda, one of the researchers at Google Project Zero. It is an organization focused on searching for security gaps and errors, among others in popular software. We recently reported about its activities in the context of iOS updates.