LastPass Working on Security Patch For Browser Extension Vulnerability

LastPass has advised all users of the password manager to launch sites directly from the LastPass vault and enable two-factor authentication wherever possible, until it addresses a vulnerability discovered in LastPass browser extensions.

The client-side vulnerability, discovered by Google security researcher Tavis Ormandy, allows for an attack that is "unique and highly sophisticated", said LastPass in a blog post, without disclosing further details.

Over the weekend, Google security researcher Tavis Ormandy reported a new client-side vulnerability in the LastPass browser extension. We are now actively addressing the vulnerability. This attack is unique and highly sophisticated. We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post mortem once this work is complete.
To secure sign-in credentials in the meantime, LastPass has recommended that users launch sites directly from the vault and make use of two-factor authentication on sites that offer it, while remaining vigilant to avoid phishing attempts.

The news follows the discovery and successful patching of earlier remote code execution (RCE) vulnerabilities that could be used to steal passwords from extensions for Firefox, Chrome, Opera, and Edge. Safari was not mentioned in the original vulnerability alert, while mobile apps were not affected, but concerned users can follow the advice regardless until LastPass offers further news on the situation.

Top Rated Comments

(View all)
Avatar
37 months ago

Great idea, keep all your passwords in one location...


It's a much better idea than using the same password for 50 different websites.
Rating: 6 Votes
Avatar
37 months ago

Last Pass is good enough for Steve Gibson (if you don't know who he is, look him up), and it's good enough for me.

It may be good enough for him, but I'd rather not go with a product that has had numerous issues with vulnerabilities and hacking. Regardless of his security chops, I think storing your data with a company that has such a poor track record of securing your data is not the best move imo.
Rating: 3 Votes
Avatar
37 months ago

No, I have the app on my iPad and Mac as well. They don't link with each other I manually have put in my passwords.

And besides if I lose my phone I have a backup on my Mac and in iCloud.

It's like anything if you lose your phone.

So your first post isn't true, you do use cloud services to store passwords.
Rating: 1 Votes
Avatar
37 months ago

So your first post isn't true, you do use cloud services to store passwords.


First I'm not looking for an argument don't know why people are hating on me. I do not use password services that use the cloud. This is what I was referring to.

I only use iCloud for backups if I am having issues with my Mac which is the main place where I backup my devices.

I don't understand the hostility here?
Rating: 1 Votes
Avatar
37 months ago

I use a simple password app, that doesn't connect to the internet doesn't use the cloud etc.

It's simply just a place to store all my passwords in one place and I just look them up when I need them.

I will never ever use any kind of password service.


what if you lose your phone (i assume the app is on your phone)? won't you lose those password?
Rating: 1 Votes
Avatar
37 months ago
Last Pass is good enough for Steve Gibson (if you don't know who he is, look him up), and it's good enough for me. I've used it for many years and while nothing is ever foolproof, LP is about as good as it gets. They will have this fixed soon and I for one appreciate their transparency.
Rating: 1 Votes
Avatar
37 months ago
1Password is the only way I can make myself use complex passwords and frequently change them. It currently holds >1,000 passwords, most of which are 20+ characters of gibberish.
Rating: 1 Votes
Avatar
37 months ago

Great idea, keep all your passwords in one location...

The eternal struggle between security and convenience.
Rating: 1 Votes
Avatar
37 months ago
This is why I don't trust anyone but myself to store the passwords.
Rating: 1 Votes
[ Read All Comments ]