LastPass has fixed a security bug that could have revealed credentials entered on a previously visited site. But to be safe, LastPass users should check that they’re running the most current version of the password manager.
The bug was initially spotted and reported by security researcher Tavis Ormandy on August 29. LastPass then issued a fix last week on September 12.
According to LastPass, malicious actors could exploit the bug by luring unsuspecting users to fill a password using the LastPass icon, then visit a compromised website. The user would then be tricked into clicking on the page several times, which in turn could result in LastPass revealing the credentials used for the previously visited site. The bug was limited to certain browsers — Chrome and Opera, to be specific — but LastPass says it sent the fix to all browsers.
Technically, you don’t have to do anything to receive the update. LastPass says it should be applied automatically to all browser extensions. That said, who hasn’t, on occasion, disabled automatic updates and then forgotten about it later?
If you’re a LastPass user, it’s a good idea to manually check that you’re running the September 12 update, version 4.33.0.
This bug also isn’t a sign that you should give up on password managers altogether. They’re still a vital part in good online security hygiene — it’s just that like any service, password managers are coded by fallible humans, and therefore susceptible to the occasional bug.
In this case, Ormandy disclosed the bug to LastPass via the proper reporting channels, so there’s no reason to assume that the bug was exploited in the wild. It’s also a good example of why you should still use multi-factor authentication on top of using a password manager, especially for sensitive accounts.