Mobile Tech Today HOME LATEST NEWS NEWSLETTERS SEARCH Search
  LATEST NEWS FOR WEDNESDAY APRIL 26

Close Search Box
Mobile Tech Today
CYBERCRIME
LastPass Warns Users As It Fixes 'Major' Vulnerability
Posted March 30, 2017
LastPass Warns Users As It Fixes 'Major' Vulnerability
Next Story
EARLIER
What the Death of Broadband Privacy Rules Means
THIS STORY
LastPass Warns Users As It Fixes 'Major' Vulnerability
Next Story
LATER
Montana Joins Others in Effort To Bolster Internet Privacy
YOU ARE HERE:   HOME arrow CYBERCRIME arrow THIS STORY
NEWS OPS

By Alex Hern. Updated March 30, 2017 9:59AM

SHARE

ALSO SEE

Password manager LastPass is advising users to avoid using its browser plugins while it battles to fix a "major architectural problem," which could allow an attacker to steal passwords or execute code.

The vulnerability was discovered by Tavis Ormandy, a security researcher at Google, who tweeted about its existence over the weekend. Keeping with responsible disclosure norms, Ormandy did not publicly state how the bug is exploited, and informed LastPass of its existence.

In a warning to users, the password manager firm wrote "We are now actively addressing the vulnerability. This attack is unique and highly sophisticated. We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post mortem once this work is complete."

It detailed three steps users could take to keep themselves safe: launch sites directly from the LastPass Vault; use two-factor authentication; and beware of phishing attacks.

Ormandy has been focusing research efforts on LastPass for some time now, as part of his work with Google’s Project Zero, a wing of the company devoted to finding and reporting security flaws in other company’s products. A week earlier, LastPass issued a fix for a pair of issues the security researcher reported, saying: “We greatly value the work that Tavis, Project Zero, and other white-hat researchers provide. We all benefit when this security model works for responsibly disclosing bugs, and are confident LastPass is stronger for the attention.”

Despite the existence of bugs in products like LastPass, most information security experts recommend using a password manager. For the majority of users, password reuse is considered a more pressing security issue than the targeted hack of a password manager: data breaches occur with such regularity that anything which prevents the damage from spreading beyond the affected site is critical, and the vast majority of people are not capable of remembering enough unique, strong passwords to cover all the sites and services they use.

A minority of security researchers do have concerns over the password manager model, however. In 2014, Microsoft researchers Dinei Florêncio and Cormac Herley and Paul C Van Oorschot from Carelton University in Canada argued that they introduce a single point of failure, putting users not only at risk of a hack, but also simply losing or forgetting the password to their password manager.

© 2017 Guardian Web syndicated under contract with NewsEdge/Acquire Media. All rights reserved.

Tell Us What You Think
Comment:

Name:

Juanita:
Posted: 2017-04-15 @ 11:26am PT
Will LastPass inform its customers when it is once again safe to use the browser plugin?

MORE IN CYBERCRIME

Next Article >

INSIDE MOBILE TECH TODAY NETWORK SITES SERVICES BENEFITS