Flaw inside LastPass Chrome extension allows revelation of login credentials

LastPass in a security advisory has asked end-users to make its Chrome extension up-to-date with respect to the company's password manager. If there's any flaw inside the software, attackers can exploit it for giving away end-users' login credentials provided those end-users go to certain hacker-hijacked website. Having over 10m end-users LastPass' extension functions to automatically feed passwords into A/C logins. This happens when the end-user presses the enter key on LastPass' "..." option viewable inside login fields. www.in.pcmag.com posted this, September 17, 2019.

Discovery of LastPass' Chrome software click-jacking flaw on 30th August is credited to Tavis Ormandy a researcher for Google Project Zero. He is a member belonging to the white-hat team of hackers which concentrates on detecting flaws within software, according to ZDNet. The process of click-jacking involves tricking an end-user into pressing the key on a disguised element thereby inadvertently leading to disclosure of secret info, else even compromise of the device.

LastPass admits the flaw is exploitable with several actions on the part of the LastPass end-user including him feeding the passphrase having LastPass' icon followed with going to a malware-ridden else hijacked website and eventually getting tricked into making several clicks on that site.

Ormandy notified LastPass prior to making the flaw publicly known. This helped the company, famous for its password manager, towards patching the software flaw and releasing updates for the benefit of end-users. According to LastPass, the company fast developed a security patch while substantiated that Tavis comprehended the solution.

Encountering a flaw for LastPass isn't new. During March 2017, Ormandy discovered vulnerability within LastPass' Chrome extension which via exploitation let hackers not just filch passphrases, however, also run malware. At that time too Ormandy notified LastPass about the finding so the bug could get fixed prior to details being openly published.

With the flaw's presence it can be stressed that similar to any Internet service, password managers too can get hit with security problems.

For safeguarding oneself against account hijacks, turning on 2F-authentication is advisable because that won't just require the exact password to be entered, however, also feed one distinct code that the end-user's phone generates.

» SPAMfighter News - 9/19/2019