LastPass Fixes Bug That Leaks Credentials | Threatpost

LastPass has patched a bug that could potentially allow malicious websites to access a web user’s credentials from a previously visited site.

Tavis Ormandy, a vulnerability researcher from Google Project Zero, discovered the flaw in the LastPass password manager and published it on the project’s website on Aug. 29, rating it as “high.” He followed that up with a Twitter post warning web users about the bug on Sunday.

“LastPass could leak the last used credentials due to a cache not being updated,” Ormandy Tweeted. “This was because you can bypass the tab credential cache being populated by including the login form in an unexpected way!”

In other words, if a web user running LastPass entered credentials to one site and then surfed to another, the second site could have unauthorized access the username and password from the first site. If the second site is malicious, it could put the user at risk of cybercriminals.

Between the bug’s discovery and Ormandy’s Twitter announcement of the vulnerability, LastPass said it fixed the bug in a blog post dated Sept. 13. The company also diminished its severity.

“To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times,” according to the post attributed to Security Engineering Manager Ferenc Kun. “This exploit may result in the last site credentials filled by LastPass to be exposed.”

Kun said LastPass deployed the update to all browsers, even though the vulnerability Ormandy discovered was “limited” to Chrome and Opera. The company also confirmed with Ormandy that the solution was “comprehensive,” Kun added.

“We have now resolved this bug; no user action is required and your LastPass browser extension will update automatically,” he wrote in the post.

Security experts recommend that Web users running LastPass ensure that the version of the software they’re running is 4.33 or later.

The bug isn’t the first that Ormandy discovered in the password management software. The Google researcher has been keeping LastPass’s security team on its toes in recent years.

In 2017, LastPass was prompted to patch three bugs that could allow for password theft thanks to Ormandy’s detective work. The year before that, Ormandy discovered a vulnerability in the password manager’s Firefox add-on that allows attackers remotely compromise it, which LastPass also subsequently fixed.