Bad news, LastPass users: bug bounty hunters found two major security exploits with the password manager’s browser extensions. Good news? Both of them have already been patched. In a quick update to the company blog, LastPass commented on a pair of separate, unrelated bugs that opened its browser extension to attacks exploitable by phishing.
Specifically, the post talks about an exploit found by security researcher Mathias Karlsson, who found a URL parsing bug that could be used to trick LastPass into spitting out passwords for specific sites. A user might click on Karlsson’s spoof URL, thinking they were visiting Twitter, only to have the malicious page steal their passwords and quietly pass them on to the real social network without their knowledge. It would be scary stuff if LastPass didn’t patch the exploit over a year ago.
Karlsson says LastPass patched his exploit in less than a day and handed him a $1,000 bounty for his trouble. That’s fairly typical, actually: just yesterday, Google Security Team researcher Travis Ormandy found another LastPass exploit that could affect its Firefox extension — today, it’s already been fixed. While these incidents show that LastPass isn’t perfect, its team is dedicated to fixing bugs as soon as it hears about them. Even so, the company recommends that its users play it safe: don’t click links from people you don’t know, use different passwords on all of your online accounts and use two-factor identification whenever possible. All good advice.
Source: Twitter, LastPass, Detectify Labs