[ad_1]
The popular Password Manager application, LastPass, released an update last week to fix a security error revealing credentials entered on a previously visited site.
The application is one of the most popular password management solutions with over 16 million users, including 58,000 businesses.
The error was discovered last month by Tavis Ormandy, a researcher at Project Zero, the Google security team.
Typically, the Google team warns the companies concerned when a vulnerability is detected and gives them 90 days to publish a fix before the public detection of the bug.
LastPass has corrected the problem reported in version 4.33.0, released on September 12, last week, in a message: "This bug only affects Chrome (Chrome) browser extensions; Opera."
Topics related to what you are currently reading:
LogMeIn, the developer of LastPass, has reduced the severity of the flaw and warns users (if the automatic update mechanism of LastPass browser extensions is not enabled) advises users to make a bet update manually as soon as possible.
Tavis Normandy has published details about the security breach found in Tweet On his personal Twitter account, dangerous and exploitable because it relies on the execution of malicious JavaScript instructions, without any user interaction.
An attacker can lure users to malicious pages and exploit this vulnerability to retrieve the login information entered by users of previously visited sites.
According to the security researcher, this is not difficult, since an attacker can easily hide a malicious link behind a Google Translate URL, induce users to view the link, and extract identity information from a previously visited site. .
"To exploit this error, the users of the application must perform a series of actions, including filling in a password via the LastPass icon, then visiting a hacked or malicious site and finally clicking several times on the page, "said Ferenc Kun, director of security engineering at LastPass.
[ad_2]
Source link
