One of the most popular Password managers LastPass is facing severe issues with its browser extensions as multiple vulnerabilities were revealed with the service over the past week, and they still persist.
Technology is ever evolving, and although it’s meant to enhance our lifestyle, sometimes it can even be damaging in case certain bugs are exploited, especially when a service such as LastPass, which are responsible for safeguarding tens of millions of passwords, is concerned.
Last week, on March 20, Tavis Ormandy, a researcher at Google’s Project Zero, uncovered two bugs in LastPass’ browser extensions which made users vulnerable to remote code execution.
The revealed vulnerabilities affected both business and personal users of the service.
Vulnerabilities Revealed Over the Past Week?
March 20: Tavis Ormandy finds two Remote Code Execution (RCE) vulnerabilities that were affecting LastPass’ browser extensions — potentially enabling an attacker to steal passwords.
Oops, new LastPass bug that affects 4.1.42 (Chrome&FF). RCE if you use the “Binary Component”, otherwise can steal pwds. Full report on way. pic.twitter.com/y92vm3Ibxd
March 22: The company announces that they’ve released new versions of Chrome (v 4.1.43) and Firefox (v 4.1.36) browser extensions with security updates in place.
They also mentioned that no data was compromised in between this period and users do not need to worry about changing their credentials. Updated versions of Microsoft Edge and Opera browser extensions will be released pending company approval.
March 25: Tavis Ormandy uncovers another vulnerability faced by the updated version of the Google Chrome browser extension (v 4.1.43). LastPass acknowledges the vulnerability in an update of their March 22 announcement.
Ah-ha, I had an epiphany in the shower this morning and realized how to get codeexec in LastPass 4.1.43. Full report and exploit on the way. pic.twitter.com/vQn20D9VCy
March 27: LastPass issued a statement,”We are not actively addressing the vulnerability. This attack is unique and highly sophisticated. We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties.”
How to Stay Safe?
Currently, LastPass has confirmed that it is working to fix the security issues with their service and a full fix can be expected soon. In the meantime, it’s recommended for LastPass users to heed to the following precautions.
To safeguard their login credentials, users are recommended to disable the browser extensions in the meantime and launch websites directly from the LastPass Vault until the vulnerabilities are resolved by the company.
Turn on Two-Factor Authentication for all the accounts that offer the option, giving your account an added layer of security in case the vulnerability is exploited by an attacker.
Be on a lookout for phishing attacks. Do not click on links from untrusted sources — people you don’t know