New vulnerability could allow hackers to steal passwords or use remote code execution.
For the second time in as many weeks, LastPass password employees are allegedly frantically scrambling to try and fix a major software vulnerability that could allow sufficiently technical malicious websites to bypass LastPass code and infect computers with malware, and steal individuals passwords.
The company has advised users to avoid using its browser plugins while it tries to close the insecure hole in its code. The irony here is that current standard industry advice is that using a password manager such as LastPass is one of the securest ways to help online accounts from being hacked. As such, the popular service designed to help internet users protect their online accounts is an obvious target for cybercriminals.
The security flaw was discovered by Google’s Project Zero security researcher Tavis Ormandy, who says it’s a serious flaw. “It will take a long time to fix this properly, it’s a major architectural problem,” he tweeted.
LastPass said in a blogpost on their site.”We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post mortem once this work is complete.”
In the meantime, LastPass has strongly recommended that users enable two-factor authentication on any sites that offer the technique, to be extra aware of phishing attempts and be extra cautious about clicking on suspicious links.
It also says users should launch sites directly from the LastPass vault, describing it as “the safest way to access your credentials and sites until this vulnerability is resolved”.
Update: The company has now released a fix that has been pushed to all affected browsers