LastPass has patched a vulnerability in its browser plugin found by Google’s Project Zero. Under certain circumstances, an attacker was able to retrieve the last used password using a specially crafted website.
LastPass has updated its browser extension and many users should automatically receive that version numbered 4.33.0, while users who have disabled auto-update will have to update manually. According to the creator of the password manager, the problem only affected Chrome and Opera, but the update has been provided for all browsers.
The vulnerability was discovered last month by Tavis Ormandy of Google’s Project Zero, who reports that LastPass has fixed the problem. He discovered that in a roundabout way the pop-up for passwords of the browser extension can be shown, with the cache value still present. In practice this means that the last used password is visible.
Users must be lured to a specially made website for this, but clickjacking can be committed, for example, by masking URLs behind Google Translate, Ormandy notes. He therefore speaks of a serious vulnerability.