Google Project Zero has found a credential leaking vulnerability in the LastPass password manager.
Security analysts at Google's Project Zero team typically report to the vendor concerned and start a 90-day countdown for a fix to be issued before full public disclosure is made.
Project Zero disclosed that a security vulnerability left some of those 16 million users exposed to the risk of credential compromise as LastPass could leak the last password used to any website visited.
LastPass is in the security business, being one of the most popular password management solutions with more than 16 million users, including 58,000 businesses.
In a tweet, Google Project Zero analyst Tavis Ormandy stated that "LastPass could leak the last used credentials due to a cache not being updated," adding "this was because you can bypass the tab credential cache being populated by including the login form in an unexpected way!"
Google's report revealed "a limited set of circumstances on specific browser extensions that could potentially allow an attacker to create a clickjacking scenario," Ferenc Kun, the security engineering manager for LastPass.
No user action is required and your LastPass browser extension will update automatically, according to Kun.
Additionally, while any potential exposure due to the bug was limited to specific browsers (Chrome and Opera), as a precaution, LastPass says it has deployed the update to all browsers.
As a reminder LastPass continues to recommend the following general best practices for added online security:
- Beware of phishing attacks. Do not click on links from people you don’t know, or that seem out of character from your trusted contacts and companies.
- Always enable MFA for LastPass and other services like your bank, email, Twitter, Facebook, etc. Adding additional layers of authentication remains the most effective way to protect your account.
- Never reuse your LastPass master password and never disclose it to anyone, including us.
- Use different, unique passwords for every online account.
- Keep your computer malware-free by running antivirus with the latest detection patterns and keeping your software up-to-date.