Posted on
September 17, 2019 at
3:1 AM

Famous password managing service LastPass has been in the news lately because of a bug that can expose the login credentials of clients that were input on a previously opened web page.

The dangerous was unveiled in
August by a security specialist working for ’s Project Zero, the online
giant in charge of spotting and alerting the cyberspace about bugs and
exploits. The name of the researcher is Tavis Ormandy.

LastPass is, without a doubt, among the most
widely used password manager in the cyber world nowadays. The has
already found a fix for the problem found in the version 4.33.0. Reportedly,
the fix was released on September 12, and customers are strongly recommended to
update.

Enabling Auto-Update Feature
or Do It Manually

The updating process can be activated via an auto-update features present in their LastPass browser extension or application for mobile devices. However, if they haven’t done it, the company recommends a manual update as soon as possible; otherwise they may be in danger.

The sudden update recommendations are coming
because Ormandy has now released specific details about the exploit he
discovered, and they can serve as a manual or step by step guide explaining to
potential attackers how to take advantage of the bug.

The security flaw depends on running malicious
JavaScript code by itself with no use of additional interactions involved. That
is why the vulnerability is so threatening and exploitable by people with bad
intentions.

The Modus Operandi

Hackers and cybercriminals can work to attract
naive targets to malicious websites and take advantage of the flaw to gain
access to the login credentials written on sites visited previously. Per
Ormandy, the process is actually not that difficult because it can be as easy
as hiding behind a Google Translate URL, misguiding people and prompting them
to open the link, and then taking the aforementioned credentials.

Ormandy warned that the situation should be
classified as highly severe despite the fact that it doesn’t work for each and
every URL. There, however, some good news regarding the impact that the
exploit’s existence has had until now.

The security flaw was unveiled and reported to Google in a private manner, which that, since it wasn’t published until a fix was released, there are no indications that may lead the people involved to believe that hackers have taken advantage of it.

ZDNet, a specialized news platform, reported that it tried to contact the LastPass brass but that they didn’t return a request for making a commentary about the matter.

Password Managers and Their
Role in Cybersecurity

As it happens with a myriad of other online
services and , password managers can be very vulnerable to security flaws.
And just like it happens with other products and offerings found on the web,
these exploits are usually fixed, patched, or systems are updated for enhanced
protection.

The recommendation from this site is that,
despite the existence of the LastPass bug, people should entertain the idea of
using a password manager for their convenience and security benefits. Using one
is recommended and a better idea that creating weak passphrases or leaving them
stored in a web browser for and hackers to take them with relative
ease.

In fact, LastPass is so adept at protecting
passwords from spies, snoopers, or other interested parties that the company
wasn’t able to help a famous law enforcement agency in the United States, the
DEA, in a legal case.

To be more specific, LastPass was asked by police officers to provide about a specific customer of the platform, most notably passwords and its home address. However, and since the information was encrypted from end to end, the password manager couldn’t provide any help to American law enforcement, a development that many in the cybersecurity community applauded and celebrated.

Summary

LastPass Fixes Potentially Dangerous Flaw That Could Leak Credentials From the Previous Site  - wAAACwAAAAAAQABAEACAkQBADs  - LastPass Fixes Potentially Dangerous Flaw That Could Leak Credentials From the Previous Site

Article Name

LastPass Fixes Potentially Dangerous Flaw That Could Leak Credentials From the Previous Site

Description

The dangerous vulnerability was unveiled in August by a security specialist working for Google’s Project Zero, the online giant in charge of spotting and alerting the cyberspace about bugs and exploits. The name of the researcher is Tavis Ormandy.

Author


Ali Raza

Publisher Name


Koddos

Publisher Logo



Source link

No tags for this post.

LEAVE A REPLY

Please enter your comment!
Please enter your name here