Turns out even LastPass, a service promoted as a password "vault," might be putting its users at risk of being hacked.
A security researcher with an established record of tracking down security flaws has found a so-called zero-day hole -- a software vulnerability that the software's makers don't know about -- that could let hackers remotely break into LastPass' millions of accounts.
It takes only a visit to a malicious website to become a victim. White hat researcher Tavis Ormandy was first to identify the problem, publishing a tweet. Ormandy followed up with a tweet saying that he sent a full report to LastPass and next up will look at a rival password manger, 1Password. Neither Ormandy nor LastPass immediately returned a request for confirmation and more details on how the hack works. A LastPass spokeswoman confirmed that the company verified Ormandy's reports and worked quickly to issue a fix for the vulnerability. She pointed to a blog explaining the problem to users and recommended users update LastPass on their browsers.
The blog confirms that Ormandy, a Google Security Team researcher, "contacted our team to report a message-hijacking bug that affected the LastPass Firefox add-on." "First, an attacker would need to successfully lure a LastPass user to a malicious website," the blog says. "Once there, Ormandy demonstrated that the website could then execute LastPass actions in the background without the user's knowledge, such as deleting items...(T)his issue has been fully addressed and an update with a fix was pushed for all Firefox users using LastPass 4.0."
In January experts found the attack, which didn’t require any special skill or circumstance to accomplish, enabled an attacker to steal a LastPass customer’s entire existence, as everything stored by the LastPass service was exposed.