LastPass announced that it had issued an update to fix a recent high-severity security flaw in its password manager’s browser extensions. Tavis Ormandy, one of Google’s most prominent security researchers from the “Project Zero” group, found the bug last month. Ormandy has previously discovered several other bugs in the LastPass Password Manager.
LastPass fixed the bug in version 4.33.0 of its Password Manager browser extensions. Normally, the browser extensions automatically update, but if you’re disabled the auto-update feature then you should manually update the password manager yourself. LastPass said that it updated all of its extensions, but the flaw should have only affected Chrome and Opera.
The bug is considered dangerous and exploitable because it doesn’t rely on user interaction. Attackers could trick users into clicking on malicious web pages that would then extract users’ credentials from previously accessed web pages. LastPass has a permission that allows it to read data on all websites the user visits.
This feature is necessary for browser password managers to work, although browser vendors could potentially address this issue with a much more specific API that only authenticated password managers could access and nothing else.
LastPass recommended users to follow general best practices, such as:
- Beware of phishing attacks. Do not click on links from people you don’t know, or that seem out of character from your trusted contacts and companies.
- Always enable MFA for LastPass and other services like your bank, email, Twitter, Facebook, etc. Adding additional layers of authentication remains the most effective way to protect your account.
- Never reuse your LastPass master password and never disclose it to anyone, including us.
- Use different, unique passwords for every online account.
- Keep your computer malware-free by running antivirus with the latest detection patterns and keeping your software up-to-date.
LastPass is not the only password manager to have security bugs, even high severity ones, but it’s certainly been one to come up more often in the news over its various security issues. Although LastPass remains the most popular password manager, it may be preferable to switch to an open source password manager such as Bitwarden or KeePassXC.