Skip to main content

LastPass details recommended precautions as it fixes vulnerability discovered over the weekend [U]

Update:

LastPass says that the browser extension vulnerability has now been patched, and that there is no evidence that it was ever exploited.

Google security researcher Tavis Ormandy reported a client-side vulnerability in the LastPass desktop browser extensions, but neither he nor LastPass released any details pending a fix. The company said that this has now been done, and most users will be automatically updated to version 4.1.44.

On Saturday, March 25th, security researcher Tavis Ormandy from Google’s Project Zero reported a security finding related to the LastPass browser extensions. In the last 24 hours, we’ve released an update which we believe fixes the reported vulnerability in all browsers and have verified this with Tavis himself.

Most users will be updated automatically. Please ensure you are running the latest version (4.1.44 or higher), which can always be downloaded at https://www.lastpass.com/.

LastPass has now provided details of the issue in a blog post, but warns that the obscure nature of the vulnerability means that the explanation is highly technical.

Password-manager LastPass is recommending that users follow precautionary steps while it works on fixing a vulnerability discovered over the weekend. Two of the recommendations are generic in nature, and should be followed anyway, but one is specifically geared to protecting your account from the vulnerability …

It offers the general advice to use two-factor authentication on all services that support it, as well as to remain vigilant to phishing attacks – plus one specific recommendation until the fix is available.

Use the LastPass Vault as a launch padLaunch sites directly from the LastPass vault. This is the safest way to access your credentials and sites until this vulnerability is resolved.

The company says that exploiting the flaw would require a highly-sophisticated attack, and that it will reveal details once the security hole has been closed.

Over the weekend, Google security researcher Tavis Ormandy reported a new client-side vulnerability in the LastPass browser extension. We are now actively addressing the vulnerability.  This attack is unique and highly sophisticated. We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post mortem once this work is complete.

The vulnerability appears to be present only in Google Chrome, but we’d suggest following the firm’s advice no matter which browser you use.

Via Neowin. Photo: SkyHigh.


FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications