LastPass says that the browser extension vulnerability has now been patched, and that there is no evidence that it was ever exploited.
Google security researcher Tavis Ormandy reported a client-side vulnerability in the LastPass desktop browser extensions, but neither he nor LastPass released any details pending a fix. The company said that this has now been done, and most users will be automatically updated to version 4.1.44.
On Saturday, March 25th, security researcher Tavis Ormandy from Google’s Project Zero reported a security finding related to the LastPass browser extensions. In the last 24 hours, we’ve released an update which we believe fixes the reported vulnerability in all browsers and have verified this with Tavis himself.
Most users will be updated automatically. Please ensure you are running the latest version (4.1.44 or higher), which can always be downloaded at https://www.lastpass.com/.
LastPass has now provided details of the issue in a blog post, but warns that the obscure nature of the vulnerability means that the explanation is highly technical.
Password-manager LastPass is recommending that users follow precautionary steps while it works on fixing a vulnerability discovered over the weekend. Two of the recommendations are generic in nature, and should be followed anyway, but one is specifically geared to protecting your account from the vulnerability …
It offers the general advice to use two-factor authentication on all services that support it, as well as to remain vigilant to phishing attacks – plus one specific recommendation until the fix is available.
Use the LastPass Vault as a launch pad – Launch sites directly from the LastPass vault. This is the safest way to access your credentials and sites until this vulnerability is resolved.
The company says that exploiting the flaw would require a highly-sophisticated attack, and that it will reveal details once the security hole has been closed.
Over the weekend, Google security researcher Tavis Ormandy reported a new client-side vulnerability in the LastPass browser extension. We are now actively addressing the vulnerability. This attack is unique and highly sophisticated. We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post mortem once this work is complete.
The vulnerability appears to be present only in Google Chrome, but we’d suggest following the firm’s advice no matter which browser you use.