Best Password Managers: Security Flaw Found on LastPass On Chrome, Firefox
Google Project Zero researcher Tavis Ormandy disclosed two security flaws plaguing popular password manager LastPass, including one that would allow an attacker to steal “password for any domain.”
LastPass reported in a blog post, published Wednesday morning, that it has been working to push out fixes for the vulnerabilities and noted the fixes have been made available to protect users from potential exploits.
“As you can imagine our dev and engineering teams have been performing exhaustive analysis on the reports made by Tavis for the last 48 hours,” a spokesperson for LastPass told International Business Times. “It’s important to note that the fixes are being pushed to all users and most should be updated automatically.”
Read: LastPass Hacked, Users Told To Change Master Passwords
The issues, first reported on March 20, stemmed from the browser add-ons for the password manager, including extensions for Google Chrome (version 4.1.42.80) and Mozilla Firefox Firefox (version 4.1.35a).
According to Ormandy, the vulnerability allowed an attacker to hijack the extension and perform a number of different commands that ranged everywhere from launching a computer's calculator program by manipulating the extensions’ binary component to the stealing a user’s passwords.
The vulnerabilities have been patched—LastPass said it issued a server-side workaround within just a few hours—and the updates have been pushed out to users.
“We have no indication that any of the reported vulnerabilities were exploited in the wild, but we’re doing a thorough review at this time to confirm,” LastPass said in a blog post.
“Very impressed with how fast LastPass responds to vulnerability reports,” Ormandy said on Twitter. “If only all vendors were this responsive.”
Read: What Is Cloudbleed? Bug Led To Passwords, Private Info Leaking Online
Password managers like LastPass are often recommended to as an additional layer of protection against data breaches and brute force attacks. Most password managers require users to remember just one master password while filling in passwords for sites and services with complicated combinations of characters that would be next to impossible to guess and are never reused for another account.
However, the crux of password managers is the user is trusting the company behind the password manager in taking extra precautions to protect their passwords. LastPass’ speedy fixes assure their dedication to security, though the initial exploits existing are a cause for concern.
Ormandy recommends those in search of a password manager use KeePass, an open source option that doesn’t make use of browser extensions when storing a user’s passwords.
© Copyright IBTimes 2024. All rights reserved.