LastPass loses the identifiers of the previous site

The password manager, LastPass, released an update last week to fix a security bug that exposes credentials entered on a previously visited site.

The bug was discovered last month by Tavis Ormandy, security researcher at Project Zero, Google's security and elite bug research team.

Correction available

LastPass, which is considered today as the most popular password management application, solved the problem reported in version 4.33.0, released on September 12th.

If users have not enabled automatic update mechanism for their LastPass browser extensions or their mobile applications, they are advised to perform a manual update as soon as possible.

That's because yesterday, Ormandy released details about the security breach that he found. The security researcher bug report tells an attacker what steps are needed to reproduce the bug.

Because the bug relies on the execution of malicious JavaScript code only, with no other user interaction, the bug is considered dangerous and potentially exploitable.

Hackers could lure users to malicious pages and exploit this vulnerability to extract login credentials from previously visited sites. According to Ormandy, it's not that hard that it looks like an attacker could easily hide a malicious link behind a Google Translate URL, make users see the link, and extract the information from the URL. Identification of a previously visited site.

"I think it's just calling this gravity" high ", even though it will not work for * all * the URLs," Ormandy said.

Since this vulnerability was discovered and reported privately by Google, there is no reason to believe that the bug was exploited in the wild. A LastPass spokesperson did not return a comment request.

Do not give up password managers because of a serviceable bug

Like all other applications, password managers are sometimes vulnerable to bugs, which are always fixed in all cases.

Despite this vulnerability, users are still advised to rely on a password manager whenever they can. Using a password manager is much better than leaving passwords stored in a browser, from where they can be easily extracted by investigative tools and malware.

LastPass's effectiveness at keeping passwords out of sight of prying eyes has been proven this summer while the company could not meet the legal requirements of the US Drug Enforcement Administration (DEA).

Cops ordered the company to give him information about a user, such as passwords and his home address, but the company could not respect the order because the data was encrypted and could not to access.