LastPass exploit discovered by Google Project Zero, promptly patched

Written 8 months ago by IanDorfman

Google’s infamous Project Zero bug and exploit tracking team discovered a vulnerability in the popular LastPass password manager that could have been used to expose users’ security credentials.

The post describing how the bug could be reproduced and potentially exploited was made by Project Zero’s Tavis Ormandy. He listed out the steps to showcase the heart of the bug, which involved a user entering a password via the LastPass icon, being duped into visiting a malicious site, and visiting that site multiple times until the previous site’s credentials erroneously populate.

Very soon following the report being made available to the LastPass development team, it was patched with no action needed on the user’s end in order to ensure the exploit is patched. In a post on the official LastPass blog, the development team posted the following security reminders:

Beware of phishing attacks. Do not click on links from people you don’t know, or that seem out of character from your trusted contacts and companies.

Always enable multi-factor authentication for LastPass and other services like your bank, email, Twitter, Facebook, etc. Adding additional layers of authentication remains the most effective way to protect your account.

Never reuse your LastPass master password and never disclose it to anyone, including LastPass itself.

Use different, unique passwords for every online account.

Keep your computer malware-free by running antivirus with the latest detection patterns and keeping your software up-to-date.

In addition to security-focused groups like Project Zero, LastPass also sponsors a dedicated bug bounty program through Bugcrowd.

As of this post, there were no reported cases of malicious attacks made utilizing this exploit, and all Internet-connected installs of LastPass are automatically patched.

Further coverage:
Project Zero issue tracker post
LastPass blog post
Ars Technica
Engadget