A password-revealing bug was quickly fixed in LastPass extensions

A security flaw related to the extension of LastPass Password Manager could have allowed to steal the latest credentials used to login to a website.

Exploitation of the bug was possible in Google Chrome and Opera web browsers and required some effort to succeed because the target had to go through several steps.

Not easy

The Google security engineer, Tavis Ormandy, discovered that an attacker could create a valid click diversion scenario for a user who had used LastPass to connect to an account and redirect it to a compromised website. or malicious with a specially created iframe.

In LastPass vulnerability disclosure, the researcher details the technical aspect and explains how subsequent click diversion can reveal the latest identity information used by a victim.

He explains that the flight would be successful if all the actions took place in the same tab, however. By placing in an iframe the popup window asking to enter the password, a step in the verification string was skipped and the last cached value of the current tab would have been lost.

"This means that via a clickjacking you can lose the previously connected site's credentials for the current tab," Ormandy says in the report to LastPass at the end of August.

After tinkering with the bug for a while, the researcher found a way to automate the leakage of credentials on a Google website. Although the method may not work with all websites, Ormandy considers that the bug has a high severity.

The researcher reported other problems discovered in LastPass that could be exploited by an attacker. One of them is the ability to generate arbitrary hotkey events due to lack of verification of approved events.

Another problem allowed to disable several security checks, while a third allowed the circumvention of several security-related checks.

LastPass extensions updated

The password manager's manufacturers recognized the vulnerability and released a notice Friday informing them that they had resolved the bug.

The company notes that "although any potential bug exposure is limited to specific browsers (Chrome and Opera), as a precaution, we've deployed the update on all browsers." The process is automated, so users should not do anything.

Recommended best practices for LastPass users are:

• stay away from the links of unknown individuals
• enable multi-factor authentication (MFA) for all services that support the feature
• do not reuse and share the password of your password manager
• create a unique password for each online account
• run an updated antivirus solution and keep the software on your computer at the latest version