LastPass Fixes Bug That Left Users Vulnerable To Clickjacking Password Theft

If you use LastPass to manage your passwords, be advised that a recent update fixed a security issue that could allow an attacker to steal your login credentials. The issue is resolved in LastPass 4.33.0. However, if you do not have LastPass configured to update automatically, it is advised that you manually patch it as soon as possible.

Tavis Ormandy, a security researcher with Google's Project Zero team, discovered the flaw and posted details on how to reproduce the issue. The attack vector leverages JavaScript, so an attacker need only configure a malicious webpage to exploit the vulnerabilities.

It is not all that complicated for an attacker to pull this off. It essentially involves tricking a user into visiting a malicious site, and then tricking the LastPass browser extension into inputting a password from a previously visited site. According to Ormandy, it would be particularly easy to disguise this attack behind a Google Translate link.

"I think it's fair to call this 'High'" severity, even if it won't work for *all* URLs," Ormandy wrote.

The Project Zero team alerted LassPass to the issue in August, with its standard 90-day disclosure deadline. LastPass did not need the full 90 days. It took about two weeks for LastPass to roll out an update, which is now available.

While LastPass was quick to resolve the issue, it didn't view the bug in quite the same light as Google's Project Zero team.

"To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times. This exploit may result in the last site credentials filled by LastPass to be exposed. We quickly worked to develop a fix and verified the solution was comprehensive with Tavis," LastPass said.

LastPass also said the bug only affected the Chrome and Opera browsers, though to play it safe, the same patch has been deployed for every browser extension, including Firefox, Safari, Edge, and Internet Explorer.