[ad_1]
LastPass, the popular password manager, has released a fix for a bug that would have allowed malicious websites to extract previously entered passwords with the help of the browser's extension. service.
The bug was first discovered by Tavis Ormandy, a researcher at Google Project Zero, who disclosed the vulnerability to the company early enough to allow him to post a fix before it was exploited at the time. Wild state.
LastPass has since solved the problem by deploying an automatic update on all browsers, but it was nonetheless recommended to users to check that they were using the latest version of the software.
The bug itself is to entice users to visit a malicious website where their LastPass browser extension is forced to use a password from a previously visited website. According to Ormandy, attackers could even use a service such as Google Translate to hide a malicious URL and encourage unsuspecting users to visit a website.
LastPass bug
The update should be applied to LastPass automatically, depending on the company, but it is still worth checking if you are using the latest version of the browser extension of the service. This is especially true for users who run a browser that allows you to disable automatic updates for extensions.
Version 4.33.0 is the latest version of the extension and, according to LastPass, Chrome and Opera are the only web browsers to be vulnerable. However, the company has deployed its latest patch on all browsers as a precaution. In a blog post, Ferenc Kun, head of security engineering at LastPass, downplayed the bug by saying:
"To exploit this bug, a LastPass user must take a series of actions, including filling in a password with the LastPass icon, then visiting a compromised or malicious site and finally having to click multiple times on the page. This feat may result in the latest site identification information provided by LastPass being exposed. We quickly worked on the development of a fix and verified that the solution was complete with Tavis. "
In the same way that software must be fixed to the latest version, browser extensions as cyber criminals must be constantly looking for new ways to access user identification information. and other sensitive information.
Via the edge
[ad_2]
Source link