LastPass is a free internet browser extension that helps users store all of their logins and passwords online in one secure location. LastPass advertises itself as the last password you will ever need. As a result, there are over 10 million people who use LastPass as their password manager.
Due to the nature of storing all of a user's login information for a variety of websites in one location, there are inherent security risks — if a breach in the application occurs, all user information could become compromised. LastPass has prided itself on being very secure, with 256-bit encryption, local-only storage of encryption keys, and multi-factor authentication.
The Vulnerability
Last month, a Google security researcher discovered a bug in LastPass that was causing the leak of user login information. Specifically, the vulnerability was found in LastPass version 4.33.0 and involved the way the browser extension handled URL matching for autofill. A malicious website could potentially trick the extension into filling in credentials for a different site the user had previously visited.
The bug was a "credential theft" vulnerability — it didn't require a LastPass master password breach, but rather exploited a flaw in how the extension determined which credentials to autofill on a given page. This meant that carefully crafted malicious web pages could potentially capture login information for other websites.
LastPass Response
LastPass was notified of the vulnerability through responsible disclosure and issued a patch. The fix was rolled out in an automatic extension update. Users who had automatic updates enabled received the patch without any action required on their part.
Password Manager Security
This incident highlights that even security tools themselves can have vulnerabilities. Password managers remain one of the best security practices available — the risk of reusing weak passwords across multiple sites far outweighs the risk of a patched vulnerability in a reputable password manager. However, it is important to keep all software — including security extensions — updated at all times.
Need help setting up secure password management for your business? Contact Landshark IT for a security consultation.