Slashdot Mirror

← Back to Stories (view on slashdot.org)

LastPass Bugs Allow Malicious Websites To Steal Passwords (bleepingcomputer.com)

Posted by BeauHD on from the irony-at-its-finest dept.

Earlier this month, a Slashdot reader asked fellow Slashdotters what they recommended regarding the use of password managers. In their post, they voiced their uncertainty with password managers as they have been hacked in the past, citing an incident in early 2016 where LastPass was hacked due to a bug that allowed users to extract passwords stored in the autofill feature. Flash forward to present time and we now have news that three separate bugs "would have allowed a third-party to extract passwords from users visiting a malicious website." An anonymous Slashdot reader writes via BleepingComputer: LastPass patched three bugs that affected the Chrome and Firefox browser extensions, which if exploited, would have allowed a third-party to extract passwords from users visiting a malicious website. All bugs were reported by Google security researcher Tavis Ormandy, and all allowed the theft of user credentials, one bug affecting the LastPass Chrome extension, while two impacted the LastPass Firefox extension [1, 2]. The exploitation vector was malicious JavaScript code that could be very well hidden in any online website, owned by the attacker or via a compromised legitimate site.

3 of 126 comments (clear)

  1. KeePass FTW! by OutOnARock · · Score: 4, Informative

    also, first post!

    1. Re:KeePass FTW! by PhrostyMcByte · · Score: 5, Informative

      I'll second KeePass. Not just because it's what I use, but because it takes serious measures to protect your data. Anyone can make a functioning password safe, but the way KeePass does it shows it was designed with an eye toward security. As a dev, I can appreciate it.

      A browser extension? Really? Your OS has a massive, old, reliable security feature in that one process can not easily access the memory of another process, and you choose to not use that and instead build support directly into the largest attack vector on your PC, the browser?

  2. Re:Never use autofill by 0x537461746943 · · Score: 4, Informative

    You should not use autofill for other reasons... Hidden fields can be passed to websites without you knowing it... http://www.digitaltrends.com/c...