Oliver Bradshaw | 25 Sep 2019
It has been revealed that over the past few weeks, LastPass’s password storing service had a rather critical exploit which enabled user credentials to be exposed.
With more than 16 million users, this presents a rather daunting issue where LastPass could have leaked or lost millions of user passwords and log-in details. Without a doubt, this becomes increasingly problematic, seeing as LastPass is perceived as one of the safest and most reliable services for the general public to store their passwords and sensitive data.
Back in August, Google’s Project Zero team member, Tavis Ormandy first spotted the exploit inside LastPass. The Project Zero project is a task force set up by Google to find exploits and issues with applications that could allow hackers and malicious parties access to sensitive data and programs.
Fast forward to today, and LastPass has made it known that they have been notified by Project Zero and have since patched the exploit — although the exploit seems to have remained open and accessible for more than two weeks.
The exploit was limited to Chrome and Opera browsers, where a user would have to be making use of the LastPass browser extension. As a user inputted their password into fake or deceptive websites, the site would then be given access to a user’s LastPass, which revealed passwords and other details that were used previously on a website.
Once the exploit was spotted, Project Zero made it clear that LastPass was informed immediately.
LastPass has now released v4.33.0 of their browser extension, which has been automatically rolled out to all users. As expected, no manual adjustments or updates are required as Google, and Opera’s browsers will run the update and install the latest version of the application on their own.
As is clear from LastPass’s exploit, there are still security risks with using password storage services, even reputable ones. We suggest taking an in-depth look into your password managers or making use of on-device encrypted solutions like Apple’s Keychain, rather than entirely cloud-based systems.
There are also services provided by VPN services such as NordVPN which should also be considered. The NordPass service by NordVPN is one of their upcoming services and features state of the art encryption and security protocols that keep device passwords and sensitive data as safe as possible.
Post Views: 256