Researcher Reveals Critical LastPass Vulnerabilities

A vulnerability in popular password manager LastPass could have exposed users passwords to malicious websites, according to reports from a respected security researcher.

LastPass offers web-based password manager and password vault capabilities via a freemium model. The company was purchased by LogMeIn for $110 million in 2015.

On Monday, Tavis Ormandy, a white-hat hacker on Google’s Project Zero security research team revealed a content script that could potentially let malicious sites proxy unauthenticated messages to LastPass browser extensions. This exploit would give hackers access to LastPass commands such as “copying and filling in passwords,” according to Ormandy.

This is not the first time a LastPass vulnerability has been exposed. In July of 2015, LastPass was hit by a targeted hack that accessed users’ email addresses, encrypted master passwords, and reminder words and phrases the service asks users to create for those master passwords.

In the days following Ormandy’s disclosure, LastPass investigated the vulnerabilities and fixed them with a server-side workaround, according to a blog post.

“We have no indication that any of the reported vulnerabilities were exploited in the wild, but we’re doing a thorough review at this time to confirm,” says LastPass.

The company considers the issue resolved, and fixes are being pushed to all users, with most updating automatically. Users have not been advised to change their passwords.

The issue reported by Tavis Ormandy has been resolved. We will provide additional details on our blog soon.

— LastPass (@LastPass) March 21, 2017