Zero-day vulnerability found in LastPass

Jul 28, 2016360TS

LastPass zero-day vulnerability

Google Project Zero hacker Tavis Ormandy has reported a critical zero-day vulnerability in the cloud password management application LastPass. This service helps managing all user’s passwords, by using a single master password to unlock the rest, and automatically filling the credentials for the stored websites.

Zero-day vulnerability discovered

A zero-day vulnerability is a software flaw unknown to the software developers. Exploiting this vulnerability would compromise a user’s LastPass account, and as a result, it would allow an attacker to access the whole set of passwords for the online services stored.

Ormandy discovered several security flaws in LastPass. By exploiting these vulnerabilities, he was able to get passwords stored with the service. The patched vulnerability was found in the Firefox extension of the tool, where there was a design flaw in communication between privileged and unprivileged components.

As a result of Ormandy’s contribution, this vulnerability has been already patched by LastPass. The company pushed the fix to all Firefox users using LastPass 4.0, according to a blog post on its website. In addition, LastPass also awarded Ormandy with a $1000 bounty for his collaboration.

Reduce the risk of being hacked

Regardless if you use a password manager or not, you should follow these recommendations to reduce the risk of having your passwords hacked:

– First of all, use unique passwords for each online account.
– Create strong passwords. Read more on how to create robust passwords.
– Activate two-factor authentication on those services offering it.
– Install the latest security updates for your software.
– Finally, use an antivirus and keep it up-to-date.