LastPass, the most well known password manager recently released a big fix that prevents malicious websites from stealing passwords previously entered using their browser extension.
Google Project Zero’s Tavis Ormandy found the flaw and revealed it to the company behind LastPass. Luckily, the vulnerability was found by Google’s team before it was in use by bad actors.
In a blog post by security engineer at LastPass, Ferenc Kun spoke on the matter:
“To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times. This exploit may result in the last site credentials filled by LastPass to be exposed. We quickly worked to develop a fix and verified the solution was comprehensive with Tavis.”
LastPass had deployed a fix for the issue on all browsers through their automatic update functionality. Additionally, the flaw only effects Chrome and Opera but the patch was delivered to all browsers. However, since this is such a critical issue we suggest users double check that they have the latest version. According to LastPass the latest version of the extension is 4.33.0 so if you’re running that or newer you should be safe.