LastPass is a popular password manager that has earned credibility owing to its efficiency. Nonetheless, like any other software, it is also prone to security flaws. Recently, a researcher has discovered a vulnerability in password manager LastPass. The flaw, upon exploit, could expose login credentials of previously visited websites.
LastPass Vulnerability Leaking Credentials
Reportedly, Tavis Ormandy of Google Project Zero has discovered a bug in the popular password manager LastPass. This LastPass vulnerability could expose the credentials of last visited sites.
Describing the vulnerability in a Chrome bug report, the researcher stated that a vulnerability to clickjacking could expose site credentials.
I noticed that you can create a popup without calling do_popupregister() by iframing popupfilltab.html (i.e. via moz-extension, ms-browser-extension, chrome-extension, etc). It’s a valid web_accessible_resource.
Because do_popupregister() is never called, ftd_get_frameparenturl() just uses the last cached value in g_popup_url_by_tabid for the current tab. That means via some clickjacking, you can leak the credentials for the previous site logged in for the current tab.
The researcher also shared ways to reproduce the flaw. Though, it didn’t work for all websites, yet, the researcher deemed it a high-severity bug as the exploit requires no user interaction.
Patch Available
After discovering the bug, Ormandy privately reported it to Google. Hence, there seems no active exploitation of the vulnerability.
Following the report, the latest version of LastPass is out with the patch. Users should ensure updating the product version to LastPass 4.33.0.
This isn’t the first time that LastPass has a security flaw. Numerous vulnerabilities were reported in the tool in the previous years as well. Nonetheless, such incidents do not really blur the importance of LastPass as an effective password manager. Especially, keeping in mind the growing incidents of credential stuffing and password hacks, it is imperative to keep your accounts secure with a robust password manager like LastPass.
Let us know your thoughts in the comments.