Critical LastPass Flaw Discovered: Update Now
Malicious websites could steal your password
If you use the LastPass password manager, make sure your LastPass browser extensions are updated to version 4.33.0 or 4.33.4. A patch released last Thursday (Sept. 12) fixes a serious security flaw that could let malicious websites steal your passwords. (The LastPass Android and iOS apps are not affected.)
Google Project Zero researcher Tavis Ormandy found that if a website is constructed a certain way, it can generate a LastPass pop-up window that will automatically fill in the cached username and password for a different website previously displayed in the same browser tab.
So website Y could steal your username and password for website X, as long as you went from X to Y in the same browser tab and then clicked to sign in.
MORE: Best Password Managers
We'll skip the technical details, but suffice it to say that the LastPass pop-up window can be triggered simply by having one website displayed in a browser as embedded within another website. (Embedding other websites is not uncommon -- Google Translate does it all the time, as Ormandy pointed out in his bug report.)
If the embedded site contains a login window, then the LastPass pop-up window may appear -- displaying the credentials for a website previously visited in the same browser tab.
"I think it's fair to call this 'High' severity, even if it won't work for *all* URLs," Ormandy wrote.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Here at Tom’s Guide our expert editors are committed to bringing you the best news, reviews and guides to help you stay informed and ahead of the curve!
The vulnerability has not been used in any active attacks yet, but now that it's being publicly disclosed and explained, expect someone to try it.
Tale of the tape
Ormandy reported the flaw to LastPass on Aug. 29, and LastPass had the fix ready two weeks later. On the official LastPass blog, the company states that "while any potential exposure due to the bug was limited to specific browsers (Chrome and Opera), as a precaution, we've deployed the update to all browsers."
Opera uses the same Chromium codebase as Chrome, and several other browsers, including Brave and Vivaldi, do as well. However, updating the extensions for Edge, Firefox, Internet Explorer and Safari is good policy, especially since Ormandy's bug report implies that Firefox and the Microsoft browsers are also affected.
Despite this vulnerability, it's still a good idea to use a password manager, as doing so will greatly limit the damage to your online security and privacy when a website with which you've registered gets breached. If the password you've used at that site is used nowhere else, then you won't need to worry about any of your other accounts.
How to check your LastPass browser extension
In most cases, the LastPass browser extension will automatically update itself. But you should check anyway to make sure yours are at versions 4.33.0 or 4.33.4.
To check your LastPass extension in Google Chrome, click the settings icon in the top right of the browser (it looks like three vertical dots). Move your cursor down and hover over "More tools", then click "Extensions" in the fly-out window.
In the resulting tab, located the LastPass extension and click "Details". The version number will be high on the resulting page.
The process is similar in Firefox, but with an added step. Firefox's settings icon is also in the upper right, but looks like three stacked lines instead of three vertical dots. Click on that and then click on "Add-Ons", then click on "Extensions." Find the LastPass extension, double-click that and check the version number.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.