/>
X

LastPass unpatched zero-day vulnerability gives hackers access to your account

The security flaw was one of "a bunch of critical problems" discovered by a prominent researcher who simply took a quick look at the software. [updated]
charlie-osborne.jpg
Written by Charlie Osborne, Contributor on
lastpass-zero-day-zdnet.jpg
LastPass

[Update 8.38am GMT: LastPass statement]

A dangerous, previously unknown security vulnerability has been discovered in LastPass which permits attackers to remotely compromise user accounts.

LastPass is a password vault which pulls user passwords from a secure area and auto fills credentials for you. The system uses AES-256 bit encryption with PBKDF2 SHA-256 and salted hashes to protect the valuable data stored within, but according to Google Project Zero hacker Tavis Ormandy, the software contains a "bunch of critical problems" which could put user accounts at risk.

On Tuesday, the white hat researcher revealed on Twitter that he was exploring LastPass security, claiming that it only took a "quick look" to find "obvious" security problems.

zdnet-lastpass-security-flaw.jpg
Screenshot via Twitter

According to The Register, millions of users may be at risk until the problem is patched -- and it only takes a visit to a malicious website to become a victim. If an attacker is able to compromise a LastPass account, this gives them access to a treasure trove of credentials for other online services.

Ormandy has sent a report detailing the zero-day and any other critical security issues the researcher found. However, no technical details have been released or are likely to be until LastPass has replicated Ormandy's findings and patched any problems.

The researcher, who has found critical problems and security failures in software including Symantec products and Avast solutions is setting his sights on 1Password next.

zdnet-lastpass-security-flaw.jpg
Screenshot via Twitter

LastPass said in a blog post:

"An attacker would need to successfully lure a LastPass user to a malicious website. Once there, Ormandy demonstrated that the website could then execute LastPass actions in the background without the user's knowledge, such as deleting items. As noted below, this issue has been fully addressed and an update with a fix was pushed for all Firefox users using LastPass 4.0."

The 10 step guide to using Tor to protect your privacy

Related

How to stop spam messages on your iPhone with this almost-secret hidden switch
messages.jpg

How to stop spam messages on your iPhone with this almost-secret hidden switch

Security
Southwest Airlines has cancelled 20,000 flights. Now for the really bad news
screen-shot-2021-07-07-at-4-01-12-pm.png

Southwest Airlines has cancelled 20,000 flights. Now for the really bad news

Business
How to clean any flat screen TV or monitor
sample-image-16-9-red.jpg

How to clean any flat screen TV or monitor

TVs