LastPass updates the browser add-on to protect against the threat of click diversion

Users made to disclose their identification information

LastPass solved a flaw in the browser extension of its password management software that created a risk of click hijacking.

This bug offered malicious sites a way to mislead LastPass users by asking them to disclose the credentials of a site they had previously visited.

The credentials had to be populated using the password manager and the same browser tab, said Tavis Ormandy, security researcher at Project Zero, who discovered the problem.

The bug details, discovered last month, were released on the weekend after LastPass updated its browser add-on to fix the problem.

Ormandy has explained in a Twitter update: "LastPass could lose the latest credentials used due to the lack of updated cache.

"This is because you can skip filling in the credentials cache with a tab by including the login form unexpectedly."

In a review, LastPass acknowledged the problem, but downplayed it. He stated that the browser extension software concerned should be updated automatically.

"To exploit this bug, a LastPass user should take a series of actions, including completing a password with the LastPass icon, then visiting a compromised or malicious site and finally being fooled by clicking multiple times on the page, "explained LastPass. .

"This feat may result in the LastPass LastPass identification information being exposed. We worked quickly to solve the problem and verified that the solution was complete with Tavis. [Ormandy].

"We have now solved this bug; no user action is required and your LastPass browser extension will be updated automatically.

"In addition, although any potential bug exposure is limited to specific browsers (Chrome and Opera), we have, as a precaution, deployed the update on all browsers," LastPass concluded.

The security bugs of one kind of another affecting LastPass are far from unprecedented.

For example, in June 2018, the developers of the password management software were trapped for security reasons regarding an automatic subdomain filling feature.

More recently, a server crash last November prevented many users from logging into their password vault.