LastPass Fixes a Password- Exposing Bug
Popular password manager LastPass says that it has fixed a vulnerability in its Chrome and Opera browser extensions that could have potentially seen an attacker steal the username and password filled-in by the software on the previously-visited website.
The vulnerability was discovered by Google Project Zero researcher Tavis Ormandy, who privately reported it to LastPass. Ormandy said the flaw stemmed from the way the extension generated pop-up windows. In certain situations, websites could produce a pop-up by creating an HTML iframe that linked to the Lastpass popupfilltab.html window rather than through the expected procedure of calling a function called do_popupregister(). In some cases, this unexpected method caused the pop-ups to open with a password of the most recently visited site.
LastPass published a post that said the bugs had been fixed and described the "limited set of circumstances" required for the flaws to be exploited.
“To exploit this bug, a series of actions would need to be taken by LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times,” according to the post attributed to Security Engineering Manager Ferenc Kun. “This exploit may result in the last site credentials filled by LastPass to be exposed.”
Kun said LastPass deployed the update to all browsers, even though the vulnerability Ormandy discovered was “limited” to Chrome and Opera. The company also confirmed with Ormandy that the solution was “comprehensive,” Kun added.
Security experts recommend that Web users running LastPass ensure that the version of the software they’re running is 4.33 or later.