CLOUD
CLOUD
CLOUD
LastPass issues patch for vulnerability that exposed user passwords
Password security firm LastPass Inc. has issued patches for its Chrome and Firefox plugins after a security researcher at Google Inc. found vulnerabilities that could have allowed attackers to steal users’ passwords or execute malicious code on their computers.
Discovered by Google’s Tavis Ormandy, the vulnerabilities could have given attackers access to internal commands inside the LastPass extension, including the very commands used by the extension to copy passwords or fill in web forms using the victim’s personal information that is meant to be securely stored.
LastPass confirmed the vulnerabilities, saying that the issue was related to an experimental feature on all LastPass browser clients and that it had issued a fix to the vulnerability prior to the details being published publicly. The company went on to note that the fix should be applied automatically for LastPass users and no user interaction was required.
“To prevent these issues in the future, we are reviewing and strengthening our code review and security processes in place today,” the company said in a blog post, “particularly around new and experimental features.”
Disturbingly for a company that says that security is fundamental to what it does, this isn’t the first time the company has been found to be lacking on the security front. In 2015, the company revealed that its network had been hacked and that the perpetrators accessed and stole user account email addresses, password reminders, server user “salts” or random data, and authentication hashes.
The news has promoted some to call on people to stop using password managers. Network World’s Sean Cassidy wrote that “browser-based password manager extensions should no longer be used because they are fundamentally risky and have the potential to have all of your credentials stolen without your knowledge by a random malicious website you visit or by malvertising.”
Cassidy does have solid point. Online cloud-based password managers are always going to be vulnerable in one way or another, so the question becomes: Is the convenience of a password manager more important that the security of your data?
Image: hunter0405/Flickr
Since you’re here …
… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.
If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.
