Skip to main content

You should update the LastPass password manager browser extension immediately

The developers behind popular password manager LastPass have patched a loophole that exposed your last used password. Originally discovered in August by Tavis Ormandy, a researcher from Google’s Project Zero, the security flaw allowed malicious websites to trick the browser extension into giving away credentials you entered on a previous site.

LastPass says it rolled out an update for the browser add-on on September 13th, two weeks after the vulnerability was first reported by Ormandy.

In order to exploit the bug — which possibly only existed on Google Chrome and Opera — attackers simply had to create a fraudulent link masquerading as a URL from websites someone would trust, such as Google Translate. Once the person clicked the link, the hack required no user interaction and immediately executed an automated script which extracted your last used password.

“We quickly worked to develop a fix and verified the solution was comprehensive with Tavis. We have now resolved this bug; no user action is required and your LastPass browser extension will update automatically,” the company added in a blog post.

While the circumstances for the bug’s misuse are limited, these activities are common on the internet and even if they affected a fraction of LastPass’ user base, it would have cost thousands of users their sensitive data.

The fix should be applied to your browser automatically. However, it’s best to double-check by manually updating the LastPass extension.

How to manually update the LastPass password manager

To manually updated LastPass, click the three-dots at the top right corner of Google Chrome and go to More Tools > Extensions. Scroll down until you find LastPass. Click the Details button on LastPass’ card and then hit the Update button at the top.

On Opera, you can’t force updates and your only option is to reinstall the extension.

Even though you’d expect password managers to be built on the most secured frameworks, security vulnerabilities such as this one can happen. A similar security vulnerability on LastPass’ browser extension previously enabled malicious attackers to steal users’ passwords. Therefore as an added security measure, we recommend switching on two-factor authentication for your accounts.

Editors' Recommendations

Shubham Agarwal
Shubham Agarwal is a freelance technology journalist from Ahmedabad, India. His work has previously appeared in Firstpost…
Update your Google Chrome browser now: New exploit could leave you open to hacks
Google Chrome Stock Photo

If you’re a Google Chrome user, you should update the browser immediately. Google released a software update to the browser late yesterday evening that patches two zero-day vulnerabilities to the browser that could potentially allow the browser to be hijacked by hackers.
One of the vulnerabilities affects Chrome’s audio component (CVE-2019-13720) while the other resides in the PDFium (CVE-2019-13721) library.
Hackers can corrupt or modify the data in Chrome’s memory using the exploit, which will eventually give them access to the computer as a whole.
One of the exploits, CVE-2019-13720 has been discovered in the wild by researchers at Kaspersky.
Google says that the update to the browser will be rolling out to users automatically over the coming days and weeks.
That said, if you’re a Chrome user it would be more prudent for you to go ahead and do that update manually right now instead.
To make it happen you’ll want to launch Chrome on your computer and then click on “Chrome” in the menu bar followed by “About Chrome.” That will launch the Settings menu. From there,  click “About Chrome” at the bottom of the menu on the left. That will likely trigger an automatic update if yours hasn’t already happened. If it doesn’t, you’ll see a button to manually update the browser as well.
Once you update the browser you should be good to go without fear of the security threat becoming an issue. Last month many Mac users ran into issues with Google Chrome when it seemed to send computers into an endless reboot cycle.
An investigation by Mac enterprise and IT blog Mr. Macintosh found that the issue was actually a bug that deletes the symlink at the/var path on the Mac it’s running on, which essentially deletes a key in the MacOS system file.
That issue only impacted Macs where the System Integrity Protection (SIP) had been disabled. The issue particularly impacted older Macs that were made before SIP was introduced with OS X El Capitan in 2015.
All this comes as Google is gearing up to launch some major updates to Chrome, including one update that will change how you manage tabs using the browser. That update is expected to roll out later this year.

Read more
MacOS Catalina already has a supplemental update, and you should download it now
13 inch apple macbook pro touch bar 128gb amazon deal review 1 768x768

Apple released a supplemental update for MacOS 10.15 Catalina on Tuesday measuring 985.4MB. The company recommends that all Catalina users install this update, as it brings fixes and improved reliability. Mac owners must restart their device to complete the update.

Here are the release notes:

Read more
CamScanner app found to have malware. You should delete it immediately
camscanner android malware header

If you use an app called CamScanner for scanning documents, you might want to consider booting it off from your phone immediately. A study by the security firm, Kaspersky has found malware inside CamScanner -- an app which has been around for about a decade and accumulated 100 million downloads on Android.

The report says security researchers discovered malicious code inside the CamScanner’s versions published between June and July. CamScanner’s developers reportedly added a new advertisement module in that period.

Read more