There are serious vulnerabilities in Password Manager "LastPass", three measures to be taken by users
Google researchers are using password manager "LastPass"Has revealed that a malicious person has a serious vulnerability to steal user's password and execute code. LastPass is in compliance with vulnerability fix, during which we warn the user to take measures such as "Do not use plugins".
Security Update for The LastPass Extension | The LastPass Blog
LastPass warns users to exercise caution while it fixes 'major' vulnerability | Technology | The Guardian
Tavis Ormandy, a researcher at Google 'Project Zero' who finds security vulnerabilities in other companies' services and products, tweeted that LastPass is seriously vulnerable. Ormandy does not publicly disclose how to exploit this vulnerability, but only to LastPass to inform details of the vulnerability and seek correction of the problem.
Ah-ha, I had an epiphany in the shower this morning and realizing how to get codeexec in LastPass 4.1.43. Full report and exploit on the way.Pic.twitter.com/vQn20D9VCy- Tavis Ormandy (@ taviso)March 25, 2017
In response to this, LastPass announced that it is dealing with the problem with the official blog. In the blog, "We are actively dealing with the problem.The attacks through this vulnerability are unique, highly refined and may encourage a malicious attack, so for more information on vulnerabilities I can not convey it. " Instead, LastPass requires the user to take the following three measures until the vulnerability is fixed.
·LastPass VaultAccessing services from (Do not use plugins)
· Enable two-step authentication
· Pay attention to phishing attacks
Not limited to LastPass, oftenVulnerability of password manager points outHowever, many security experts still recommend using password manager. This is because, for many users, "use of password" is more dangerous than an attack aimed at individual password managers. On the other hand,Some security expertsThere is concern about using the password manager is not only risk of hacking but also the risk that you will not be able to access all passwords if you forget the master password.
· Additional notes April 4, 2017 9: 50
LastPass updated the official blog to report that vulnerability correspondence was completed and the cause. The vulnerability pointed out by Google researchers this time was the possibility that information was stolen or operated from the browser extension function. In order to do vulnerable attacks, it is necessary to go through malicious websites induced by phishing attacks and other malicious adware, and through websites infected with malicious adware, and individuals via malicious websites It seems there was a possibility that the code was executed from the user's local browser.
All already extended browser enhancement has been fixed, the latest update version (4.1.44 or later) has been released in each extension store. Installed LastPass extensions are updated automatically, but LastPass is asked to confirm that it is manually updated. The only thing that was affected is that only LastPass' s browser extension function is available for iOS · Android · Windows Phone applications.