Skip to main content
  1. Home
  2. Computing
  3. News

LastPass, used by millions, may be vulnerable to shockingly simple exploits

Justin Pot
By
LastPass was vulnerable, a white hat hacker at Google’s Project Zero claimed Tuesday. A patch for the problem was out by Thursday, Engadget is reporting.
Recommended Videos

Tavis Ormandy, a researcher affiliated with Google’s security research team Project Zero, sarcastically asked if anyone actually uses LastPass on Twitter yesterday, adding that he found a bunch of fundamental security problems with little more than a quick glance, Betanews is reporting. LastPass is the most popular password storage service on the planet, with millions of users.

Related

Are people really using this lastpass thing? I took a quick look and can see a bunch of obvious critical problems. I'll send a report asap.

— Tavis Ormandy (@taviso) July 26, 2016

Ormandy has sent a report of the security problems to LastPass, who have patched up the issues. The issue, LastPass says, is that a malicious website could access the Firefox extension without the user even knowing, and do things like delete passwords from the service. The issue is fully solved now.

Here are the details of the vulnerability I reported https://t.co/2fWFyBFzUm https://t.co/3HaEQRJEqa

— Tavis Ormandy (@taviso) July 28, 2016

Google’s Project Zero team routinely researches security flaws online, both in Google services and those created by other companies. Flaws are reported to the appropriate companies, who have 60 days to resolve the issue. At that point, Project Zero makes the flaws public. The idea is to encourage companies to fix the issues, and in this case that seems to be working: LastPass told Ormandy that a fix is on the way.

So we won’t know what problems Ormandy found for a while. But if you want to read something scary right now, researcher Mathias Karlsson also found a terrifying LastPass flaw malicious sites could use to grab all your passwords in bulk, if users leave the automatic login feature enabled.

“First, the code parsed the URL to figure out which domain the browser was currently at, then it filled any login forms with the stored credentials,” Karlsson wrote in a blog post outlining the issue. “However, the URL parsing code was flawed (bug in URL parsing? shocker!).”

LastPass was quick to respond to the problem, and even paid Karlsson a $1,000 bounty for finding and reporting the issue.

Karlsson, for his part, thinks password managers are worth using, despite flaws like this.

“They are still much better than the alternative (password reuse),” Karlsson wrote.

Having said that, disabling autofill might be a good idea, on LastPass and similar services.

Editors' Recommendations

Topics
Justin Pot
Justin Pot
Former Digital Trends Contributor
Justin's always had a passion for trying out new software, asking questions, and explaining things – tech journalism is the…
How to easily connect any laptop to a TV
An image-editor app being used to edit photos on a laptop.

If you’re using a laptop on a daily basis, you’ll know how tiring it can get to stare at a 13-inch screen for hours on end. This is why it’s great that most modern PCs can be connected to a TV. Not only does this give you a bigger display to work with, but you’ll still be able to use your laptop as you normally would. So no saying goodbye to those handy trackpad gestures!

Read more
The Asus ROG Ally just got a game-changing update
Asus ROG Ally handhelds side by side.

Asus' ROG Ally is one of the best handheld gaming PCs you can buy, and now it's getting even better. Asus is updating the handheld with AMD's Fluid Motion Frames (AFMF). This is a driver-level feature that adds frame generation to the majority of DirectX 11 and 12 games, which should vastly improve performance.

We've seen AFMF in action on AMD graphics cards previously. The feature launched late last year for desktop and mobile AMD graphics cards, but the ROG Ally oddly didn't support the feature. Asus' handheld uses the Ryzen Z1 chipset, which includes both an AMD processor and graphics card, but it uses its own specialized driver. Because of that, it didn't receive AFMF support right away.

Read more
How to delete a Discord server on desktop and mobile
Memrise bot in the Discord app directory.

Have you had enough of Discord for a while? We get it. It can be a little exhausting to say the least, especially if you’re running a jam-packed server, filled with multimedia and messages. Fortunately, if you’re in the mood to take a break, it’s not too hard to delete your Discord server.

Read more