Skip to main content
  1. Home
  2. Computing
  3. News

LastPass, used by millions, may be vulnerable to shockingly simple exploits

By
LastPass was vulnerable, a white hat hacker at Google’s Project Zero claimed Tuesday. A patch for the problem was out by Thursday, Engadget is reporting.
Recommended Videos

Tavis Ormandy, a researcher affiliated with Google’s security research team Project Zero, sarcastically asked if anyone actually uses LastPass on Twitter yesterday, adding that he found a bunch of fundamental security problems with little more than a quick glance, Betanews is reporting. LastPass is the most popular password storage service on the planet, with millions of users.

Are people really using this lastpass thing? I took a quick look and can see a bunch of obvious critical problems. I'll send a report asap.

— Tavis Ormandy (@taviso) July 26, 2016

Ormandy has sent a report of the security problems to LastPass, who have patched up the issues. The issue, LastPass says, is that a malicious website could access the Firefox extension without the user even knowing, and do things like delete passwords from the service. The issue is fully solved now.

Here are the details of the vulnerability I reported https://t.co/2fWFyBFzUm https://t.co/3HaEQRJEqa

— Tavis Ormandy (@taviso) July 28, 2016

Google’s Project Zero team routinely researches security flaws online, both in Google services and those created by other companies. Flaws are reported to the appropriate companies, who have 60 days to resolve the issue. At that point, Project Zero makes the flaws public. The idea is to encourage companies to fix the issues, and in this case that seems to be working: LastPass told Ormandy that a fix is on the way.

So we won’t know what problems Ormandy found for a while. But if you want to read something scary right now, researcher Mathias Karlsson also found a terrifying LastPass flaw malicious sites could use to grab all your passwords in bulk, if users leave the automatic login feature enabled.

“First, the code parsed the URL to figure out which domain the browser was currently at, then it filled any login forms with the stored credentials,” Karlsson wrote in a blog post outlining the issue. “However, the URL parsing code was flawed (bug in URL parsing? shocker!).”

LastPass was quick to respond to the problem, and even paid Karlsson a $1,000 bounty for finding and reporting the issue.

Karlsson, for his part, thinks password managers are worth using, despite flaws like this.

“They are still much better than the alternative (password reuse),” Karlsson wrote.

Having said that, disabling autofill might be a good idea, on LastPass and similar services.

Editors' Recommendations

Topics
Justin Pot
Justin Pot
Former Digital Trends Contributor
Justin's always had a passion for trying out new software, asking questions, and explaining things – tech journalism is the…
Leaving LastPass? Here’s how to take all your passwords with you
LastPass

If you, like many of us, have been happily using LastPass's excellent free tier for the last few years, you're probably dismayed that LastPass is moving to change the way its free access works. From March 16, you'll only be able to sync your LastPass database between mobile devices or computers -- but not both. So if you want to keep accessing the same passwords on your phone and laptop, you'll have to pay up and join LastPass's premium subscription for $3 a month.

Of course, not everyone is wild to pay a subscription fee -- or has the free cash to do so. If that's you, you're probably looking for a password manager to replace LastPass. But you won't want to leave all your collected passwords and logins behind. Thankfully, you can quickly and easily export your LastPass passwords and login information and import them into your new password manager of choice. So go check out our list of the best password managers, then dive into our guide on how to leave LastPass and take your passwords with you.
Export your LastPass database
Now that you know you're moving from LastPass, the first step is to make sure you take everything with you. Thankfully, exporting your database from LastPass is simple. Unfortunately, there's no way to export your passwords from the mobile app, so you'll have to use a PC or Mac to complete this action.

Read more
Power up your tech game this summer with Dell’s top deals: Upgrade for a bargain
Dell Techfest and best tech on sale featured.

One of the best times to upgrade your tech stack, be it your desktop, a new laptop, or some high-resolution monitors, is when great deals are to be had. Well, I'm here to share that thanks to Dell's top deals, you can power up your tech game and have most of the summer to make it happen. Maybe you're happy with your current system or setup. That's excellent, but you're likely considering upgrading somewhere, and that's precisely what these deals are all about. Dell has a smorgasbord of deals on laptops, desktops, gaming desktops, monitors, accessories, and so much more. We'll call out a few of our favorite deals below, but for now, know that you should be shopping this sale if you're interested in anything tech-related.

 
What summer tech should you buy in Dell's top deals?

Read more
I love the MacBook Pro, but this Windows laptop came surprisingly close
Apple MacBook Pro 16 downward view showing keyboard and speaker.

There are some great machines in the 15-inch laptop category, which has recently been stretched to include the more common 16-inch laptop. The best among them is the Apple MacBook Pro 16, which offers fast performance for tasks like video editing and the longest battery life.

The Lenovo Yoga Pro 9i 16 is aimed not only at other 16-inch Windows laptops but also at the MacBook Pro 16. It offers many of the same benefits but at a lower price. Can it take a place at the top?
Specs and configurations

Read more