A popular password manager, LastPass, has recently fixed a bug that could have enabled malicious websites to steal users’ passwords or even execute arbitrary code on their computers. The bug was first discovered by Tavis Ormandy, a security researcher from Google’s Project Zero. Ormandy found that the vulnerability existed in the Google Chrome and Firefox extensions for the password manager.
The LastPass vulnerability was related to the way it parses and fills web forms. This vulnerability could have been exploited to bypass the same origin policy of web browsers, thereby enabling malicious websites to gain access to users’ credentials. Ormandy also found that malicious websites could use the flaw to run arbitrary code on users’ computers.
However, the good news is that LastPass was quick to act and fix the vulnerability as soon as the researcher reported it. In fact, the password manager was able to roll out a fix within a day. This is a clear example of how important it is to have proper security measures in place and to be proactive in addressing vulnerabilities as they are discovered. In conclusion, LastPass users are advised to update their extensions to the latest version as soon as possible to avoid being compromised by this vulnerability.
