Password manager LastPass pushes a new update for Firefox users that fixes security issues and reported vulnerabilities. This happens after a Google (NASDAQ:GOOL) hacker finds a hole in the software that could completely compromise customer accounts.
This dangerous zero-day vulnerability becomes active if the user visits certain malicious websites using Firefox with the LastPass extension installed. LastPass fixed the flaw within 24 hours of being notified.
What is LastPass?
LastPass is a freemium cloud password vault which functions as an extension for different web browsers. It is one of the most popular password managers in the world and it can be downloaded for free.
The app lets users view, manage, delete and create items to be stored into the cloud system. This includes passwords, bank account or credit card information.
The add-on also has a feature to generate strong passwords and save them automatically in the vault, or even save sites and credential sites for further use.
In overview, LastPass features one master password, cross-browser synchronization, secure password generation, password encryption, importing and exporting passwords, form filling, multifactor authentication, password-fingerprint verification, cross-platform availability and free and premium credit card monitoring (only in the USA).
By serving as a gate-keeper for their accounts, the password manager encourages a strong digital security.
‘Zero-day’ flaw requires tricking the user to enter a malicious website via a phishing attack
The bug was discovered by Tavis Ormandy, a security white hat hacker currently employed by the Google Security Team, a member of Project Zero.
Project Zero has already found several malware and failures in Antivirus systems such as Avast, Comodo, Kaspersky, and Bromium.
On Wednesday, the researcher demonstrated that an attacker would need to lure a LastPass user to a malicious website. Once there, a distant attacker could execute the add-on actions in the background without the user’s knowledge.
Through his Twitter account, @taviso, Ormandy posted his research of this “remote compromise” in an advanced computer issue. He also shared this report with LastPass for the creation of the necessary patch.
He also mocked the software when he found the bug. “Are people really using this LastPass thing,” he wrote on the social network.
How to be safe?
The bug affects LastPass version 4.0 or later for Firefox. The company has published a patch that addresses the found security flaw for the web browser. Users that do not use LastPass in Firefox should take no further action.
The update is already up and will be pushed via the browser with the fix in version 4.1.21a.
For a manual update, you can type about:addons in the address bar, and hit enter on the keyboard. Next, click on Extensions in the left-hand navigation bar, go to LastPass and click Settings in the upper-right corner, and then select Check for Updates.
Alternatively, you can download the fix in the official link.
Although the patch is safe from the aforementioned bugs, but the company still urges customers to follow certain guidelines to ensure the safety of their passwords.
So, despite LastPass’s updates, customers should follow general practices for online security. This includes staying away from possible phishing attacks and using different and strong passwords for each online account.
The company also suggest to routinely run antivirus programs and to turn on a two-factor master key to enter the add-on.
Our apologies for the disruption as we migrate to new data centers (https://t.co/dEg0x7ZPRK). Service should now be fully restored.
— LastPass Status (@LastPassStatus) July 26, 2016
Needless to say, this is not the first time the password manager has had fo fix a security flaw.
Not the first time
Over a year ago, security researcher Mathias Karlsson found a URL-parsing bug that could trick the program to share codes for specific sites.Spoof URL or fake sites could incite the malware to extract passwords via an autofill function.
LastPass quickly patched this exploit and gave Karlsson a $1000 price for his help.
Full report sent to LastPass, they're working on it now. Yes, it's a complete remote compromise. Yes, I promise I'll look at 1Password.
— Tavis Ormandy (@taviso) July 27, 2016
Thus, an app offers a centralized, encrypted and easy access from anywhere to the all of your passwords, also means you are trusting your online security to a third party. LastPass was already breached last year, but, thankfully, no encrypted user information was lost or accessed. So far, despite the flaws, it has proven to be very safe.
Just last year, white-hat hackers were able to sneak in malicious programs into the App store that could steal passwords from iOS and the system built-in password management tool, Keychain, as well as from the popular 1Password.
US National Institute of Standards and Technology suggest alternatives as using secure apps for two-actor authentication, a method already offered by Google. Two-factor authentication works by having a user verify his identity by using another method after entering the password, most often by entering a unique code receive via SMS.
Source: Washington Post