Share

LastPass has a security bug that is putting accounts at risk

A unsafe, previously unknown security vulnerability has been discovered in LastPass which permits attackers to remotely compromise user accounts.

Advertisement

The researcher, who has found critical problems and security failures in software including Symantec products and Avast solutions is setting his sights on 1Password next.

Respected Google Project Zero white hat Tavis Ormandy recently revealed a gaping security hole within password manager LastPass’ software that puts millions of users at risk.

Advertisement

When examining the password manager, he tweeted on Tuesday, “Are people really using this lastpass thing?” She pointed to a blog explaining the problem to users and recommended users update LastPass on their browsers. However, password managers also have one potentially large weakness, and that’s the fact that if your master password is leaked, then all of your other passwords will be, too. Then he could extract the credentials for twitter.com, and he could use the same tactic to get the credentials for other popular sites, too, due to the bug in the autofill functionality. “I’ll send a report asap”, he later followed that up by confirming that he has reported the issue to LastPass and that it did pave the way for total remote compromise of accounts. On Wednesday, Mathias Karlsson at Detectify Labs said that he had also managed to hack LastPass – in this case, to steal user passwords. It noted that both vulnerabilities would require the hacker tricking the user into visiting a malicious site for them to work.

Zero day hole can pwn millions of LastPass users, all that's needed is a malicious site