Latest in Gear

Image credit:

Lastpass addresses two major vulnerabilities found by users

Two exploits for LastPass' browser extensions have been patched.
Sean Buckley, @seaniccus
July 27, 2016
Share
Tweet
Share

Sponsored Links

Bad news, LastPass users: bug bounty hunters found two major security exploits with the password manager's browser extensions. Good news? Both of them have already been patched. In a quick update to the company blog, LastPass commented on a pair of separate, unrelated bugs that opened its browser extension to attacks exploitable by phishing.

Specifically, the post talks about an exploit found by security researcher Mathias Karlsson, who found a URL parsing bug that could be used to trick LastPass into spitting out passwords for specific sites. A user might click on Karlsson's spoof URL, thinking they were visiting Twitter, only to have the malicious page steal their passwords and quietly pass them on to the real social network without their knowledge. It would be scary stuff if LastPass didn't patch the exploit over a year ago.

Karlsson says LastPass patched his exploit in less than a day and handed him a $1,000 bounty for his trouble. That's fairly typical, actually: just yesterday, Google Security Team researcher Travis Ormandy found another LastPass exploit that could affect its Firefox extension -- today, it's already been fixed. While these incidents show that LastPass isn't perfect, its team is dedicated to fixing bugs as soon as it hears about them. Even so, the company recommends that its users play it safe: don't click links from people you don't know, use different passwords on all of your online accounts and use two-factor identification whenever possible. All good advice.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

Windows XP source code leak sheds light on Microsoft's OS history

Windows XP source code leak sheds light on Microsoft's OS history

View
SpaceX scales back plans for Starship's first high-altitude flight

SpaceX scales back plans for Starship's first high-altitude flight

View
Dark mode is coming to WhatsApp for Android

Dark mode is coming to WhatsApp for Android

View
Sony WF-1000XM3 review: Simply the best true wireless earbuds

Sony WF-1000XM3 review: Simply the best true wireless earbuds

View
Here's everything Amazon announced at its big hardware event

Here's everything Amazon announced at its big hardware event

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr