LastPass security flaw patched: allowed hackers stealing credentials

The already-patched LastPass cache bug would allow the attackers to leak credentials used on a previous site

LastPass bug was discovered by Google security team member Tavis Ormandy

One of the most popular password managing applications LastPass recently released a patch for a critical flaw and would allow malicious sites to harvest credentials of previously-visited website. The vulnerability, which was patched with LastPass version 4.33.0. was released on Thursday, September 12,^[1] and users are urged to update as soon as possible.

The bug, which was labeled as “high” severity, was discovered by Google security analyst Tavis Ormandy from the elite Google research team Project Zero. The flow could be exploited via the extension for Google Chrome and Opera browsers, although the hack would require the attackers to perform several steps before being able to harvest credentials.

LastPass is a password managing application that comes with a browser-based interface, although it also includes web extensions for multiple browsers. Over 16 million users, along with 58,000 businesses,^[2] are using the extension as a way to protect the attackers from breaking through to the system – it only proves that security solutions are not flawless, and finding them is vital to the customer security.

LastPass owner claims the bug could only be exploited under specific circumstances

Google researcher who discovered the bug claimed that the flaw lied within cache not properly being refreshed:^[3]

LastPass could leak the last used credentials due to a cache not being updated. This was because you can bypass the tab credential cache being populated by including the login form in an unexpected way!

Researcher posted the findings on the Project Zero issue 1930^[4] and showed how the flaw could be possible to exploit.

While the bug renders 16 million users vulnerable to credentials being stolen, the security engineering manager Ferenc Kun said a “limited set of circumstances” would be required in order to exploit it, so the scenario is highly unlikely:^[5]

To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times.

Nevertheless, it is vital that bugs in such vital applications like password managers would be fixed, regardless of the likelihood of the occurrence. LastPass team did that, with Ormandy also verifying that the fix is valid. While the flaw affected Chrome and Opera only, LastPass update also included Safari, Firefox, Edge, and IE browsers.

Despite the flaw, password managers are a great way to protect your accounts and computer from being compromised

If you are a LastPass user, there there is no need to do anything, as the updates should have been applied automatically. However, if for some reason the automatic updating feature is disabled, it is mandatory to update the version of the extension to 4.33.0. manually.

Software vulnerabilities are something that most applications get to experience (some more than others… Flash Player, for example, is riddled with critical security flaws) and get patched quickly. It is also not a surprise that security-related apps are also sometimes found vulnerable to exploits. Nevertheless, these are usually patched within days. In a similar case, a flaw within software was found by Tavis Ormandy in March 2017 and was quickly patched by LastPass.^[6]

Do not stop using LastPass due to a security flaw which was quickly patched. The software uses a high level of security when it comes to data retention – it was awarded the Best Product in Identity Management award at InfoSec Awards in March 2019.^[7]