Posted on September 17, 2019 at 3:15 AM
Famous password managing service LastPass has been in the news lately because of a security bug that can expose the login credentials of clients that were input on a previously opened web page.
The dangerous vulnerability was unveiled in August by a security specialist working for Google’s Project Zero, the online giant in charge of spotting and alerting the cyberspace about bugs and exploits. The name of the researcher is Tavis Ormandy.
LastPass is, without a doubt, among the most widely used password manager in the cyber world nowadays. The company has already found a fix for the problem found in the version 4.33.0. Reportedly, the fix was released on September 12, and customers are strongly recommended to update.
Enabling Auto-Update Feature or Do It Manually
The updating process can be activated via an auto-update features present in their LastPass browser extension or application for mobile devices. However, if they haven’t done it, the company recommends a manual update as soon as possible; otherwise they may be in danger.
The sudden update recommendations are coming because Ormandy has now released specific details about the exploit he discovered, and they can serve as a manual or step by step guide explaining to potential attackers how to take advantage of the bug.
The Modus Operandi
Hackers and cybercriminals can work to attract naive targets to malicious websites and take advantage of the flaw to gain access to the login credentials written on sites visited previously. Per Ormandy, the process is actually not that difficult because it can be as easy as hiding behind a Google Translate URL, misguiding people and prompting them to open the link, and then taking the aforementioned credentials.
Ormandy warned that the situation should be classified as highly severe despite the fact that it doesn’t work for each and every URL. There, however, some good news regarding the impact that the exploit’s existence has had until now.
The security flaw was unveiled and reported to Google in a private manner, which means that, since it wasn’t published until a fix was released, there are no indications that may lead the people involved to believe that hackers have taken advantage of it.
ZDNet, a specialized cybersecurity news platform, reported that it tried to contact the LastPass brass but that they didn’t return a request for making a commentary about the matter.
Password Managers and Their Role in Cybersecurity
As it happens with a myriad of other online services and apps, password managers can be very vulnerable to security flaws. And just like it happens with other products and offerings found on the web, these exploits are usually fixed, patched, or systems are updated for enhanced protection.
The recommendation from this site is that, despite the existence of the LastPass bug, people should entertain the idea of using a password manager for their convenience and security benefits. Using one is recommended and a better idea that creating weak passphrases or leaving them stored in a web browser for malware and hackers to take them with relative ease.
In fact, LastPass is so adept at protecting passwords from spies, snoopers, or other interested parties that the company wasn’t able to help a famous law enforcement agency in the United States, the DEA, in a legal case.
To be more specific, LastPass was asked by police officers to provide data about a specific customer of the platform, most notably passwords and its home address. However, and since the information was encrypted from end to end, the password manager couldn’t provide any help to American law enforcement, a development that many in the cybersecurity community applauded and celebrated.