A critical zero-day flaw has been uncovered in the popular cloud password manager LastPass that could allow any remote attacker to compromise your account completely.
LastPass is a password manager that is also available as a browser extension that automatically fills credentials for you.
LastPass is a password manager that is also available as a browser extension that automatically fills credentials for you.
All you need is to remember one master password to unlock all other passwords of your different online accounts, making it much easier for you to use unique passwords for different sites.
However, the password manager isn't as secure as it promises.
Google Project Zero Hacker Tavis Ormandy discovered several security issues in the software that allowed him to steal passwords stored with LastPass.
"Are people really using this LastPass thing? I took a quick look and can see a bunch of obvious critical problems. I'll send a report asap," Ormandy revealed on Twitter.
Once compromise a victim's LastPass account, hackers would be able to access a treasure trove of passwords for victim's other online services.
Since LastPass is working on a fix to the zero-day vulnerability, technical details about the issues have not been disclosed by the researcher.
Similar Old Bug in LastPass Password Manager:
Coincidentally, another security researcher Mathias Karlsson also announced that he had uncovered some issues in LastPass, that has already been patched by the company.
A specially crafted URL is enough to take complete control of its user's accounts.
As Karlsson explained in a blog post published today, an attacker could send a specially-crafted URL to the victim in order to steal passwords from his/her vault.
This specific vulnerability resided in the autofill functionality of the LastPass browser extension, where a faulty regular expression for parsing the URL was allowing an attacker to spoof the targeted domain.
"By browsing this URL: http://hackerpostnigeria.com/@facebook.com/@login.php the browser would treat the current domain as hackerpostnigeria.com while the extension would treat it as facebook.com," Karlsson explained.
Therefore, by abusing form auto-fill functionality, a hacker could steal victim's, let’s say, Gmail password, by sending the POC URL containing gmail.com to the victim.
This particular flaw has already been patched by the company within a day, and Karlsson has even been awarded with a bug bounty of $1,000.
ll, the issues in password managers are really worrying, but this doesn’t mean that you should stop using password managers. Password managers still encourage you to use unique and complex passwords for every single site.
In wake of the latest issue, users can avoid browser-based password managers and instead switch to offline versions, like KeePass.
LastPass has quickly patched the vulnerability reported by Tavis Ormandy and pushed an update with fix for all Firefox users using LastPass 4.
"The recent report only affects Firefox users. If you are a Firefox user running LastPass 4.0 or later, an update will be pushed via your browser with the fix in version 4.1.21a." LastPass said in a blog post.
SOURCE: THN
Share your view.. EmoticonEmoticon