A similar security vulnerability on LastPass’ browser extension previously enabled malicious attackers to steal users’ passwords.
On Opera, you can’t force updates and your only option is to reinstall the extension.Įven though you’d expect password managers to be built on the most secured frameworks, security vulnerabilities such as this one can happen.
Click the Details button on LastPass’ card and then hit the Update button at the top. To manually updated LastPass, click the three-dots at the top right corner of Google Chrome and go to More Tools > Extensions.
How to manually update the LastPass password manager However, it’s best to double-check by manually updating the LastPass extension. The fix should be applied to your browser automatically. While the circumstances for the bug’s misuse are limited, these activities are common on the internet and even if they affected a fraction of LastPass’ user base, it would have cost thousands of users their sensitive data. We have now resolved this bug no user action is required and your LastPass browser extension will update automatically,” the company added in a blog post. “We quickly worked to develop a fix and verified the solution was comprehensive with Tavis. Once the person clicked the link, the hack required no user interaction and immediately executed an automated script which extracted your last used password. In order to exploit the bug - which possibly only existed on Google Chrome and Opera - attackers simply had to create a fraudulent link masquerading as a URL from websites someone would trust, such as Google Translate.
LastPass says it rolled out an update for the browser add-on on September 13th, two weeks after the vulnerability was first reported by Ormandy. To download LastPass browser extensions/apps, visit the LastPass Downloads Page to download the extension (s)/app (s) of your choice.
They also offer compatible MacOS and Windows Desktop apps, and Android and iOS mobile apps. Originally discovered in August by Tavis Ormandy, a researcher from Google’s Project Zero, the security flaw allowed malicious websites to trick the browser extension into giving away credentials you entered on a previous site. LastPass offers browser extensions for Chrome, Firefox, Edge, Internet Explorer, Safari, and Opera. The developers behind popular password manager LastPass have patched a loophole that exposed your last used password.
As a result, it’s a good idea to add two-factor authentication to any sites that support it, along with using strong unique passwords that you never reuse between services. The existence of the bug highlights the fact that password managers, like any online service, can still be susceptible to security problems. To begin using LastPass, you need to log in to LastPass. The bug was responsibly disclosed to LastPass before being made public, and there’s no evidence that an exploit was ever deployed on the web.ĭespite this bug, using a password manager is still a great measure to take for the sake of your online security. The chrome web store will indicate it is checking the extension.
The company’s Security Engineering Manager, Ferenc Kun, said that the exploit relied on a user visiting a malicious site and then being tricked into clicking on the page “several times.” Ormandy nevertheless gave the bug a “High” severity rating. This change will not affect users of current versions of Microsoft Edge. This action follows an announcement from Microsoft that the Edge Legacy desktop application will no longer be supported or receive security updates. In a statement posted on its blog, LastPass downplayed the severity of the bug. Starting Monday, January 31, 2022, LastPass will no longer support the Microsoft Edge Legacy browser extension for LastPass.
LastPass said that it believed only the Chrome and Opera browsers were affected by the bug, but that it’s deployed the same patch to all browsers as a precaution. The bug was patched with version 4.33.0 of the extension. This was because you can bypass the tab credential cache being populated by including the login form in an unexpected way! - Tavis Ormandy September 16, 2019Īlthough LastPass says the update should be applied automatically, you should definitely check that you’re running the most up-to-date version of the service’s browser extension, particularly if you’re using a browser which allows you to disable automatic updates for extensions. Therefore as an added security measure, we recommend switching. LastPass could leak the last used credentials due to a cache not being updated. A similar security vulnerability on LastPass’ browser extension previously enabled malicious attackers to steal users’ passwords.