After having “an epiphany in the shower,” Tavis Ormandy realized that the latest version of the password manager’s browser extension is subject to a flaw that allows some malicious websites to have their way with the user’s system. Otherwise, the vulnerability allows malicious websites to steal the user’s passwords from behind LastPass’ protections. Unfortunately, this vulnerability seems to be present in the extensions for every major browser on Windows and Linux, and is most likely present for Mac users as well.
Making this vulnerability even more significant, the vulnerability only requires the extension to be installed in order for it to be exploited. A user could be logged out and still be subject to receiving malicious code from the website they’re visiting.
To their credit, LastPass is committed to resolving this issue, acknowledging Ormandy’s report a mere hour after he submitted it. Two days later, LastPass released a blog post going over these events and offering a few recommendations:
- Launch websites from the LastPass vault: To retain the highest level of security as possible, it’s better to access websites from the LastPass vault itself.
- Use Two-Factor Authentication wherever possible: This will add an extra layer of security to prevent leaked credentials from granting easy access to your accounts.
- Keep an eye out for phishing attacks: Clicking on a malicious link is a great way to hand over your access credentials to malicious entities, so before you click on a link in a received message, take a moment to ask yourself if the link makes sense to be coming from who allegedly sent it.
LastPass has also been vocal in their appreciation for people like Ormandy finding issues like these before they are found the hard way. According to Joe Siegrist, cofounder and vice president of LastPass, “We greatly appreciate the work of the security community to challenge our product and uncover areas that need improvement.
LastPass now has 90 days before Ormandy and Project Zero release the technical details as part of their disclosure policies. In the meantime, it would be prudent to take LastPass’ advice to heart for the sake of your own network security.
To ensure your credentials are protected, and to schedule a full security audit, contact Aspire at (469) 7-ASPIRE.