Password Manager Lastpass again once came into light after Google Project Zero researcher Tavis Ormandy reported three separate vulnerabilities in the service. Lastpass affected by autofill vulnerability just earlier this year plus a major breach back in 2015 and numerous flaws report. Out reported three vulnerabilities one of which LastPass claims to have resolved.
LastPass Password Manager Affected by Multiple Security Flaws, Researcher Reveals
Password Manager LastPass says it has resolved the vulnerabilities pointed out by Tavis Ormandy. It also says that users will not need to change their passwords or any site credential passwords. Lastpass add that users must ensure they are running the latest versions of the LastPass version. It also claims Lastpass v4.1.42 and v4.1.35 vulnerabilities caused by the same issue, which has resolved.
Tavis Ormandy explains that a coding flaw in Lastpass service allowed anyone to “proxy” unauthenticated commands to a LastPass browser extension. By exploiting the problem, a hacker could obtain access to privileged LastPass commands including “the obviously bad ones,” such as “copying and filling in passwords (copypass, fill form, etc)”.
LastPass, said in their blog post released today, explained that the bug was related to an experimental feature that was enabled on all LastPass browser clients. The company claimed that three vulnerabilities are largely the same. The company issued a fix before the vulnerability publicly revealed. And says updates for users should be applied automatically. LastPass is not currently asking users to update any passwords.
“We have no indication that any of the reported vulnerabilities exploited in the wild. But we’re doing a thorough review at this time to confirm,” the company said in the blog post. “We will soon provide a more comprehensive summary of the events and what our community needs to know”.
This isn’t the first time Ormandy has reported an issue in LastPass. Last year, the researcher sent a report on “a complete remote compromise” to the company. On Twitter, this time he credited LastPass with a swift response. “Very impressed with how fast @LastPass responds to vulnerability reports,” he wrote. “If only all vendors were this responsive.”