LastPass Vulnerability Left User Credentials Exposed

LastPass recently identified and resolved a security bug that left customer credentials vulnerable to hackers.

What happened?

A security researcher from Google’s Project Zero discovered a flaw within LastPass’s browser extension for Chrome and Opera that could expose the last site credentials filled by LastPass. To expose this information, users would need to have filled in a password using the LastPass browser extension, then visited a malicious website and clicked on that website several times.

What is clickjacking?

Clickjacking is when a hacker conceals hyperlinks within legitimate clickable content to manipulate the user into performing malicious actions.

For example, let’s pretend a user is trying to download a song from a website. The user clicks on the “download song” button thinking they will download the music file. Unfortunately, a hacker has hidden a link to the user’s security permissions in the download song button. When the user clicked on the button, they agreed to disable their security protections! Now the hacker can freely access and corrupt the user’s files without them knowing a thing!

UPDATE: The bug has been resolved. The LastPass browser extension has been automatically updated. Users are encouraged to ensure they have version 4.33.0 of LastPass installed.

How to check what version of LastPass you have installed:

  1. Click on the LastPass browser extension
  2. Click on “Account Options”
  3. Click on “About LastPass”
  4. The results should say “Version: 4.33.0“. If it does not, uninstall and reinstall LastPass through their website.

Next Steps

No users are reported to have been impacted by the flaw and there are no signs that the vulnerability has been exploited by any malicious actors. We encourage everyone to implement these best practices for online security.

Implement These Cyber Security Best Practices For Additional Protection

  • Do not click on links from unknown contacts or that seem out of character for known contacts.
  • Always enable multi-factor authentication for your personal accounts and social media.
  • Never use your LastPass master password anywhere else. Never share it with anyone else or write it down!
  • Use a unique, complex password for every online account.
  • Have a trusted cyber security provider monitor and implement antivirus and antimalware protections on your PCs.
  • Have your IT MSP perform regular maintenance and system patching on your business network to keep your software and hardware up to date.

Do you need cyber security management for your small business? Performance Connectivity, Inc. provides comprehensive cyber security for small businesses by implementing a multi-point approach that addresses the most common weaknesses in network security. Our services include proactive monitoring, endpoint and DNS protection, dark web monitoring and regular cyber security awareness training for employees.



About the Author

Subscribe to Get Notified

Posts Related to ,