September 17, 2019 at
The dangerous vulnerability was unveiled in
August by a security specialist working for Google’s Project Zero, the online
giant in charge of spotting and alerting the cyberspace about bugs and
exploits. The name of the researcher is Tavis Ormandy.
LastPass is, without a doubt, among the most
widely used password manager in the cyber world nowadays. The company has
already found a fix for the problem found in the version 4.33.0. Reportedly,
the fix was released on September 12, and customers are strongly recommended to
Enabling Auto-Update Feature
or Do It Manually
The updating process can be activated via an auto-update features present in their LastPass browser extension or application for mobile devices. However, if they haven’t done it, the company recommends a manual update as soon as possible; otherwise they may be in danger.
The sudden update recommendations are coming
because Ormandy has now released specific details about the exploit he
discovered, and they can serve as a manual or step by step guide explaining to
potential attackers how to take advantage of the bug.
The security flaw depends on running malicious
is why the vulnerability is so threatening and exploitable by people with bad
The Modus Operandi
Hackers and cybercriminals can work to attract
naive targets to malicious websites and take advantage of the flaw to gain
access to the login credentials written on sites visited previously. Per
Ormandy, the process is actually not that difficult because it can be as easy
as hiding behind a Google Translate URL, misguiding people and prompting them
to open the link, and then taking the aforementioned credentials.
Ormandy warned that the situation should be
classified as highly severe despite the fact that it doesn’t work for each and
every URL. There, however, some good news regarding the impact that the
exploit’s existence has had until now.
The security flaw was unveiled and reported to Google in a private manner, which means that, since it wasn’t published until a fix was released, there are no indications that may lead the people involved to believe that hackers have taken advantage of it.
Password Managers and Their
Role in Cybersecurity
As it happens with a myriad of other online
services and apps, password managers can be very vulnerable to security flaws.
And just like it happens with other products and offerings found on the web,
these exploits are usually fixed, patched, or systems are updated for enhanced
The recommendation from this site is that,
despite the existence of the LastPass bug, people should entertain the idea of
using a password manager for their convenience and security benefits. Using one
is recommended and a better idea that creating weak passphrases or leaving them
stored in a web browser for malware and hackers to take them with relative
In fact, LastPass is so adept at protecting
passwords from spies, snoopers, or other interested parties that the company
wasn’t able to help a famous law enforcement agency in the United States, the
DEA, in a legal case.
To be more specific, LastPass was asked by police officers to provide data about a specific customer of the platform, most notably passwords and its home address. However, and since the information was encrypted from end to end, the password manager couldn’t provide any help to American law enforcement, a development that many in the cybersecurity community applauded and celebrated.