LastPass Exploit Shows That Last Password You Made Probably Wasn’t Your Last

LastPass is one of the most prominent password managers around. It’s extremely convenient but if it were hacked, it would be quite the pain in the arse for users. In a blog post, the company has warned that a major exploit has been discovered and outlined what action users should take immediately.

Tavis Ormandy, a vulnerability researcher for Google’s Project Zero, tweeted on Sunday that he’d discovered a client-side vulnerability in the latest version of LastPass’ software that is “a major architectural problem”. It’s Project Zero’s policy not to disclose the details of vulnerabilities for 90 days after notifying the company that is at risk. According to Ormandy, this one’s going to take a while to work out.

LastPass acknowledged the problem on Monday and it is not going into detail about the nature of the exploit. But, it is offering users some advice on what to do in the meantime. The boilerplate recommendations are to avoid phishing attacks and use two-factor authentication. At this point, two-factor authentication needs to just be a way of life and please don’t click that random attachment that was sent to you in an email from a stranger. But the third recommendation is annoying. They are recommending that users launch password protected sites from the LastPass vault, saying “this is the safest way to access your credentials and sites until this vulnerability is resolved”. That is, of course, not as annoying as having your entire online identity stolen.

Most likely, the safest thing one could do is to stop using the LastPass extension until it’s fixed, change all of your passwords, and enable two-factor authentication on everything. That decision is up to you.

Ormandy has previously discovered two other LastPass vulnerabilities that were quickly patched. This one seems like it will be a larger undertaking. 9to5 Mac is reporting that “the vulnerability appears to be present only in Google Chrome“. But I’m not seeing that information in the thread that’s linked and LastPass isn’t saying that, so let’s just assume that this affects all versions for now.

The beauty of a password manager is that it can make it easier for you to utilise strong and complex passwords. Don’t let this scare you away from them. All software has its flaws.

[LastPass via Ars Technica, 9to5 Mac]


The Cheapest NBN 50 Plans

Here are the cheapest plans available for Australia’s most popular NBN speed tier.

At Lifehacker, we independently select and write about stuff we love and think you'll like too. We have affiliate and advertising partnerships, which means we may collect a share of sales or other compensation from the links on this page. BTW – prices are accurate and items in stock at the time of posting.

Comments


2 responses to “LastPass Exploit Shows That Last Password You Made Probably Wasn’t Your Last”