Popular password management app LastPass has revealed in a blog post that it has recently patched a security bug that could have revealed a user’s credentials entered on a previously visited site. The company was notified of the bug by Google’s Project Zero security researcher Tavis Ormandy on August 29 (via Engadget).
According to LastPass, a series of actions would need to be taken by a LastPass user to exploit the bug, including filling a password with the LastPass icon, then visiting a compromised or malicious site, and finally being tricked into clicking on the page several times. This exploit may result in the last site credentials filled by LastPass to be exposed:
Although the bug was limited to Chrome and Opera, LastPass says it sent the fix to all browsers as a precaution.
We quickly worked to develop a fix and verified the solution was comprehensive with Tavis. We have now resolved this bug; no user action is required and your LastPass browser extension will update automatically.
Additionally, while any potential exposure due to the bug was limited to specific browsers (Chrome and Opera), as a precaution, we’ve deployed the update to all browsers.
LastPass says that issued a fix last week on September 12 and although the patch should have arrived automatically, we highly recommend all LastPass users to check that they’re running the most current version of the password manager.