Last week, developers updated the LastPass password manager. As it turned out now, updating to version 4.33.0 fixed a dangerous bug discovered by Google Project Zero expert Tavis Ormandy. The vulnerability allowed the leak of credentials entered on a previously visited site, and the developers of LastPass reportthat the problem affected extensions for the Chrome and Opera browsers.
Ormandy tellsthat with the help of clickjacking, cybercriminals could extract credentials from a previously visited site by using clickjacking, iframes and redirecting LastPass users to compromised or malicious sites. The researcher notes that this is not as difficult as it seems, since an attacker can, for example, disguise a malicious link behind the Google Translate URL.
Simply put, if the victim visited site A and the credentials were entered using LastPass, and then the victim went to site B, through the latter one could access the credentials of site A.
Although the exploitation of the bug required the victim to enter credentials using the LastPass icon, visit a hacked or malicious site, and click on the page several times, the developers described the bug as very serious and hastened to issue a “patch”.
Since Ormandy notified the company privately and the bug was quickly fixed, it is reported that no signs of exploitation of this vulnerability were detected by attackers.