Skip to main content
  1. Home
  2. Computing
  3. Mobile
  4. News

LastPass, used by millions, may be vulnerable to shockingly simple exploits

Add as a preferred source on Google

LastPass was vulnerable, a white hat hacker at Google’s Project Zero claimed Tuesday. A patch for the problem was out by Thursday, Engadget is reporting.

Tavis Ormandy, a researcher affiliated with Google’s security research team Project Zero, sarcastically asked if anyone actually uses LastPass on Twitter yesterday, adding that he found a bunch of fundamental security problems with little more than a quick glance, Betanews is reporting. LastPass is the most popular password storage service on the planet, with millions of users.

Recommended Videos

Are people really using this lastpass thing? I took a quick look and can see a bunch of obvious critical problems. I'll send a report asap.

— Tavis Ormandy (@taviso) July 26, 2016

Ormandy has sent a report of the security problems to LastPass, who have patched up the issues. The issue, LastPass says, is that a malicious website could access the Firefox extension without the user even knowing, and do things like delete passwords from the service. The issue is fully solved now.

Here are the details of the vulnerability I reported https://t.co/2fWFyBFzUm https://t.co/3HaEQRJEqa

— Tavis Ormandy (@taviso) July 28, 2016

Google’s Project Zero team routinely researches security flaws online, both in Google services and those created by other companies. Flaws are reported to the appropriate companies, who have 60 days to resolve the issue. At that point, Project Zero makes the flaws public. The idea is to encourage companies to fix the issues, and in this case that seems to be working: LastPass told Ormandy that a fix is on the way.

So we won’t know what problems Ormandy found for a while. But if you want to read something scary right now, researcher Mathias Karlsson also found a terrifying LastPass flaw malicious sites could use to grab all your passwords in bulk, if users leave the automatic login feature enabled.

“First, the code parsed the URL to figure out which domain the browser was currently at, then it filled any login forms with the stored credentials,” Karlsson wrote in a blog post outlining the issue. “However, the URL parsing code was flawed (bug in URL parsing? shocker!).”

LastPass was quick to respond to the problem, and even paid Karlsson a $1,000 bounty for finding and reporting the issue.

Karlsson, for his part, thinks password managers are worth using, despite flaws like this.

“They are still much better than the alternative (password reuse),” Karlsson wrote.

Having said that, disabling autofill might be a good idea, on LastPass and similar services.

Justin Pot
Justin's always had a passion for trying out new software, asking questions, and explaining things – tech journalism is the…
How to install macOS 27 Golden Gate public beta on your Mac?
From a smarter Siri to a more reliable Spotlight, here's your full walkthrough for installing macOS 27 Golden Gate's public beta today.
macOS 27 Golden Gate

Along with iOS 27’s public beta, Apple has also released macOS 27 Golden Gate’s public beta build, so that early adopters can get their hands on the new features, including Siri AI, and provide timely feedback to help ensure a stable iOS launch in September. 

If you’re sold on all the new features but don’t want to put your faithful MacBook through developer beta duty, a public beta offers a much more refined experience. To install macOS 27’s public beta, follow the steps given below. 

Read more
Microsoft is finally fixing the worst thing about Windows Search, but you can’t try it just yet
Windows Insiders in the Experimental channel are getting a Search experience that finally feels less of a billboard and more of what users actually need.
Page, Text, Person

Windows Search has been a mess for years, and I do not use that word lightly. Open it to find a file, and you get trending Bing topics, Microsoft Store promotions, and an AI tools tile that just opens a browser. 

That is changing, but not immediately for all users. Microsoft is rolling out a batch of Windows Search improvements to Insiders in the Experimental channel, and for once, this isn't just a fresh coat of paint.

Read more
Apple doesn’t want to share this AirPods feature with Meta, but the EU may force its hand
Spring 2027, EU only, built under DMA pressure.
The front of the Ray-Ban Meta smartglasses.

I’ve been an AirPods user for the last four years, and one of the things that makes it genuinely hard to leave behind is the seamless, almost magical pairing experience across devices. Open an AirPods case near your iPhone, and a pop-up appears within seconds. Switch to your Mac and the audio follows. 

However, the experience is limited only to Apple devices. Doesn’t matter whether you have one of the coolest pieces of tech on the market right now; if it’s not Apple, it won’t get the same treatment. However, that might change for the Meta Quest or the Ray-Ban Meta glasses, thanks to pressure from the EU. 

Read more