Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
You are here: Home / Data Security / LastPass Fixing 'Major' Vulnerability
LastPass Warns Users As It Fixes 'Major' Vulnerability
LastPass Warns Users As It Fixes 'Major' Vulnerability
By Alex Hern Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
Password manager LastPass is advising users to avoid using its browser plugins while it battles to fix a "major architectural problem," which could allow an attacker to steal passwords or execute code.

The vulnerability was discovered by Tavis Ormandy, a security researcher at Google, who tweeted about its existence over the weekend. Keeping with responsible disclosure norms, Ormandy did not publicly state how the bug is exploited, and informed LastPass of its existence.

In a warning to users, the password manager firm wrote "We are now actively addressing the vulnerability. This attack is unique and highly sophisticated. We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post mortem once this work is complete."

It detailed three steps users could take to keep themselves safe: launch sites directly from the LastPass Vault; use two-factor authentication; and beware of phishing attacks.

Ormandy has been focusing research efforts on LastPass for some time now, as part of his work with Google’s Project Zero, a wing of the company devoted to finding and reporting security flaws in other company’s products. A week earlier, LastPass issued a fix for a pair of issues the security researcher reported, saying: “We greatly value the work that Tavis, Project Zero, and other white-hat researchers provide. We all benefit when this security model works for responsibly disclosing bugs, and are confident LastPass is stronger for the attention.”

Despite the existence of bugs in products like LastPass, most information security experts recommend using a password manager. For the majority of users, password reuse is considered a more pressing security issue than the targeted hack of a password manager: data breaches occur with such regularity that anything which prevents the damage from spreading beyond the affected site is critical, and the vast majority of people are not capable of remembering enough unique, strong passwords to cover all the sites and services they use.

A minority of security researchers do have concerns over the password manager model, however. In 2014, Microsoft researchers Dinei Florêncio and Cormac Herley and Paul C Van Oorschot from Carelton University in Canada argued that they introduce a single point of failure, putting users not only at risk of a hack, but also simply losing or forgetting the password to their password manager.

© 2017 Guardian Web under contract with NewsEdge/Acquire Media. All rights reserved.
Tell Us What You Think


Posted: 2017-04-15 @ 11:26am PT
Will LastPass inform its customers when it is once again safe to use the browser plugin?

Like Us on FacebookFollow Us on Twitter
© Copyright 2017 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.