LastPass, one of the most popular password management solutions has allegedly exposed the credentials of the service’s more than 16 million users, including 58,000 businesses. The information came into light through a tweet from Security researchers at Google’s Project Zero team, which read,
“lastpass: bypassing do_popupregister() leaks credentials from previous site bugs.chromium.org”
According to experts, “by embedding a website with malicious code, a hacker could trick Lastpass into divulging the password of previously visited websites.” Although the bug has been reportedly patched, it is important to note that 58,000 businesses currently rely on the company’s service.
Tavis Ormandy, a vulnerability researcher at Google, rated the severity of the bug as ‘high’ due to the fact that an exploit could have been leveraged by simply directing a user to a specific web page via disguised malicious links in Google pop-ups. In relation to the development, Ferenc Kun, LastPass’s security engineering manager added,
“To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times.”
According to White Hat hacker, John Opdenakker, the biggest culprit behind security breaches is often the fact that either one’s password is too weak and/or that a password has been used repeatedly across multiple accounts.
there’s absolutely no reason to stop using LastPass or your preferred password manager for that matter. “Although password managers like any other software have flaws the benefits of using one far outweigh the risks,” says ethical hacker John Opdenakker. “It’s far more likely that your accounts will get compromised by attacks that exploit poor passwords,” Opdenakker says, “such as through credential reuse, than by attacks against password managers themselves.”
As of now, LastPass has patched the vulnerability and has been verified with Project Zero. As per the original sources, the fix was rolled out on 13th of September, and Kun confirmed that “we have now resolved this bug; no user action is required and your LastPass browser extension will update automatically.”