Users tricked into disclosing credentials

LastPass has resolved a flaw in the browser extension of its password manager software that created a clickjacking risk.

The bug produced a way for malicious sites to trick LastPass users into disclosing the credentials of a site they had previously visited.

The credentials needed to be filled in using the password manager and with the same browser tab, said Tavis Ormandy, a security researcher from Google’s Project Zero, who discovered the issue.

Details of the bug, which was found late last month, were made public over the weekend after LastPass updated its browser add-on to resolve the flaw.

Ormandy explained in a Twitter update: “LastPass could leak the last used credentials due to a cache not being updated.

“This was because you can bypass the tab credential cache being populated by including the login form in an unexpected way.”

In an advisory, LastPass acknowledged the problem but downplayed the seriousness of the issue. It said the affected browser extension software should be updated automatically.

“To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times,” LastPass explained.

“This exploit may result in the last site credentials filled by LastPass to be exposed. We quickly worked to develop a fix and verified the solution was comprehensive with Tavis [Ormandy].

“We have now resolved this bug; no user action is required and your LastPass browser extension will update automatically.

“Additionally, while any potential exposure due to the bug was limited to specific browsers (Chrome and Opera), as a precaution, we’ve deployed the update to all browsers,” LastPass concluded.

Security bugs of one sort of another affecting LastPass are far from unprecedented.

For example, in June 2018 developers of the password manager software came under fire over security concerns about a subdomain autofill feature.

More recently a server failure last November left many users unable to log into their password vaults.