Last week, the developers of the popular password manager LastPass released an update that fixes a vulnerability that could lead to the leakage of user data. The issue was reported after it was resolved, and LastPass users were advised to update their password manager to the latest version.
We are talking about a vulnerability using which attackers could steal the data entered by the user on the last visited website. The problem was discovered last month by Tavis Ormandy, who is a member of the Google Project Zero project, which conducts research in the field of information security.
LastPass is currently the most popular password manager. The developers fixed the previously mentioned vulnerability in version 4.33.0, which appeared in the public domain on September 12th. If users do not use LastPass' automatic update feature, they are advised to manually download the latest version of the software. This should be done as soon as possible, because after the vulnerability was fixed, the researchers published its details, which can be used by attackers to steal passwords from devices on which the application has not yet been updated.
The exploitation of the vulnerability involves the execution of malicious JavaScript code on the target device, without any user interaction. Attackers can lure users to malicious sites in order to steal credentials stored in a password manager. Tavis Ormandy believes the vulnerability is easy to exploit because attackers can mask a malicious link by tricking a user into clicking it to steal the credentials that were entered on the previous site.
Representatives of LastPass do not comment on this situation. At the moment, there are no known cases where this vulnerability was exploited by attackers.
Source: 3dnews.ru