Password manager LastPass has patched a vulnerability that could have led to users exposing the credentials they previously used on the last site they visited.
A flaw in the password manager's browser extension rendered the service susceptible to cyber criminals launching clickjacking attacks. To fall victim, a LastPass user would have had to fill out their credential details on a website, and then visit a compromised site through being tricked into clicking on the page link several times.
This vulnerability affected the LastPass web extension when used on the Google Chrome and Opera browsers, the company confirmed and was fixed in last week's 4.33.0 update.
The bug was first disclosed by Google's Project Zero research team, namely the security researcher Tavis Ormandy. The disclosure, which dates to 29 August, walks a would-be attacker through the steps needed to run a successful exploit.
The researcher disclosed the vulnerability to LastPass a few weeks ago and left the company to develop a fix. The flaw was made public this weekend.
LastPass has warned users to be aware of the scale of phishing attacks routinely launched against web users, and to use both anti-malware and anti-virus software.
Users of the password manager were also told to enable multi-factor authentication on all services where possible. Moreover, users should never reuse the LastPass master password, and keep different and unique passwords for every online account.
Password managers like LastPass have been touted as a way to bypass the fallibility of having to set and remember passwords for a variety of both personal and work systems. These are in addition to adopting two-factor authentication (2FA) to log-into systems, as well as using biometric authentication.
Many, including Microsoft, have long-claimed that passwords are not fit for purpose in today's landscape. Astonishingly, the 'random' password 'ji32k7au4a83' was, earlier this year, found to have been used in 141 data breaches, for instance.
Four widely-used password managers, themselves, were found to have a set of serious flaws that could allow hackers to break in and steal information, according to research published in February.
Having examined 1Password, Dashlane, KeePass, and LastPass, Independent Security Evaluators (ISE) found that every application had "serious" vulnerabilities that allowed attackers to infiltrate them while they were running in the background.
-
Third time lucky? Microsoft finally begins roll-out of controversial Recall featureNews The Windows Recall feature has been plagued by setbacks and backlash from security professionals
-
The UK government wants quantum technology out of the lab and in the hands of enterprisesNews The UK government has unveiled plans to invest £121 million in quantum computing projects in an effort to drive real-world applications and adoption rates.
-
Google pays largest-ever bug bounty worth £500,000News The company remained tight-lipped over the exploit itself, but speculation is possible given its publicly available rewards breakdown
-
OpenSSL 3.0 vulnerability: Patch released for security scareNews The severity has been downgraded from 'critical' to 'high' and comparisons to Heartbleed have been quashed
-
Hacker steals $566 million from Binance Bridge using proof-forgery exploitNews An exploit discovered in the exchange platform's proof verifier let the hacker take 2m BNB without raising alarm bells
-
CISA issues fresh orders to polish security vulnerability detection in federal agenciesNews The move marks the latest step in the cyber security authority's ongoing ambition to minimise the government's exposure to attacks
-
Mozilla patches high-severity security flaws in new ‘speedy’ Firefox releaseNews Numerous vulnerabilities across Mozilla's products could potentially lead to code execution and system takeover
-
WordPress plugin vulnerability leaves sites open to total takeoverNews Customers on WordFence's paid tiers will get protection from the WPGate exploit right away, but those on the free-tier face a 30-day delay
-
Numerous HP business laptops and desktops vulnerable to publicly disclosed security bugsNews Researchers revealed the details of the six vulnerabilities at Black Hat in August but many laptops, desktops, and workstations remain vulnerable
-
HP patches high-severity security flaw in its own support toolNews The application that's installed in every HP desktop and notebook was allowing hackers to elevate privileges through a DLL hijacking vulnerability
