Lastpass addresses two major vulnerabilities found by users

Two exploits for LastPass' browser extensions have been patched.

Sponsored Links

Sean Buckley
July 28, 2016 1:12 AM
Lastpass addresses two major vulnerabilities found by users

Bad news, LastPass users: bug bounty hunters found two major security exploits with the password manager's browser extensions. Good news? Both of them have already been patched. In a quick update to the company blog, LastPass commented on a pair of separate, unrelated bugs that opened its browser extension to attacks exploitable by phishing.

Specifically, the post talks about an exploit found by security researcher Mathias Karlsson, who found a URL parsing bug that could be used to trick LastPass into spitting out passwords for specific sites. A user might click on Karlsson's spoof URL, thinking they were visiting Twitter, only to have the malicious page steal their passwords and quietly pass them on to the real social network without their knowledge. It would be scary stuff if LastPass didn't patch the exploit over a year ago.

Karlsson says LastPass patched his exploit in less than a day and handed him a $1,000 bounty for his trouble. That's fairly typical, actually: just yesterday, Google Security Team researcher Travis Ormandy found another LastPass exploit that could affect its Firefox extension -- today, it's already been fixed. While these incidents show that LastPass isn't perfect, its team is dedicated to fixing bugs as soon as it hears about them. Even so, the company recommends that its users play it safe: don't click links from people you don't know, use different passwords on all of your online accounts and use two-factor identification whenever possible. All good advice.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Popular on Engadget