What is worse than a forgotten password? A stolen one.
Password manager LastPass is in hot water this week as security flaws were discovered in its web browser extension. On March 26, Google security researcher Tavis Ormandy exposed a client-side vulnerability in LastPass that he found in Google Chrome. LastPass acknowledged the problem and vowed to address it.
Cybersecurity has been a hot topic this March. On a major scale, WikiLeaks leaked documents on CIA spying. On a lesser degree, Google Allo was found out to reveal your recent browsing history.
A 'Unique And Highly Sophisticated' Attack
Google Project Zero security researcher Tavis Ormandy revealed via Twitter the client-side vulnerability he discovered in a LastPass browser extension and sent the company a report. As per Project Zero's policy, LastPass now has 90 days to fix the issue before Google discloses the vulnerability details. LastPass immediately sprang into action to address this security flaw.
LastPass acknowledged the breach and calls it a "unique and highly sophisticated" attack. As protocol and also for security purposes, the company did not reveal the details about the attack.
"We don't want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties," wrote LastPass in its official blog.
LastPass also disclosed that a "more detailed post mortem" report will be published once the problem is resolved.
This isn't the first time that a LastPass vulnerability was exposed by Ormandy. Earlier this March, Ormandy reported two separate flaws in LastPass' browser add-on. This third vulnerability might take a while according to Ormandy, calling it a "major architectural problem."
How To Protect LastPass Account
LastPass acknowledged Ormandy's efforts in helping the company "raise the bar for online security" and vowed to work to become the most secured password manager in the market. As a precaution, it shared tips on how users can protect their accounts from this type of security breach.
One suggestion LastPass shared is using LastPass Vault as a launch pad for password-protected sites. According to LastPass, this is the safest way to access their credentials, which will be the case until the vulnerability is resolved.
Another is Two-Factor Authentication. LastPass suggested to users to do this with their accounts "whenever possible" as most websites offer this option already.
Lastly, the company warned against phishing attacks, cautioning users not to click on suspicious links and advising them to read its phishing primer.