LastPass is advising users to update the Chrome extension for its password manager. A bug in the software can be exploited to leak users' login credentials in the event they visit a hacker-controlled website.
The company's extension, which has more than 10 million users, works by automatically filling in the passwords on account logins. The fill-in process occurs when the user clicks the LastPass "…'" icon appearing in login fields.
However, last month Google security researcher Tavis Ormandy noticed a problem in the background processes. The bug can trigger the extension to expose the last login credential it filled out. To exploit it, a hacker could create a malicious website designed to fetch the password entry from a Lastpass Chrome extension user. The victim would simply need to click on the malicious page several times to cause the credential to leak.
The bug is valuable for any hackers seeking to phish users' passwords. For instance, a cybercriminal could spread links to tampered websites to secretly prey on LastPass users. The good news is that the company patched the problem last week with version 4.33.0 of the LastPass extension.
"We have now resolved this bug; no user action is required and your LastPass browser extension will update automatically," the company said in a blog post on Monday. In addition to Chrome, the vulnerability also affects extensions on the Opera browser. As a precaution, LastPass says its also rolled out safeguards to extensions for other browsers.
To protect yourself from account hijacks, it's a good idea to enable two-factor authentication with your online accounts. This will force anyone attempting to sign in to not only enter the correct password, but to input a unique code generated by your phone. You can also check out our other tips to stay safe online.
How Your Password Was Stolen
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
