Mon. Nov 18th, 2019

LastPass Fixes Bug That Could Let Malicious Websites Steal Your Credentials

Password manager, LastPass, patched a bug that could have revealed credentials entered on a previously visited site.

 

According to ZDNet, the bug was discovered by Tavis Ormandy, a researcher in Google’s Project Zero team. And on August 29, Ormandy disclosed the vulnerability in a bug report.

 

The bug is considered dangerous and potentially exploitable because it relies on executing malicious JavaScript code alone, with no other user interaction.

 

Even worse, Ormandy notes that attackers could use a service like Google Translate to disguise a malicious URL and trick vulnerable users into visiting a rogue site. Once there, attackers could use the vulnerability to extract the credentials entered on previously-visited sites.

 

It’s also worth noting that the bug is limited to certain browsers — Chrome and Opera.

 

On September 13, LastPass fixed the vulnerability with version 4.33.0.