This article is more than 3 years old

Here’s what users can do in the meantime…

Popular password management firm LastPass is currently in the process of fixing a client-side vulnerability in its browser extension that was responsibly disclosed by a security researcher.

Over the weekend of March 24, Google vulnerability researcher Tavis Ormandy tweeted that he had figured out a way to achieve code execution in the browser extension for the LastPass password manager.

Ormandy, who has discovered numerous flaws in anti-virus products, adhered to the ethics of responsible disclosure (this time) by not publicly stating how the exploit worked.

Instead Ormandy contacted LastPass directly.

In turn, the password manager, which has fixed more than one security hole over the years, took two days to publicly acknowledge Ormandy’s disclosure. It also did not reveal any details of the exploit.

As LastPass explains in a blog post:

“We are now actively addressing the vulnerability. This attack is unique and highly sophisticated. We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post mortem once this work is complete. “In the meantime, we want to thank people like Tavis who help us raise the bar for online security with LastPass, and work with our teams to continue to make LastPass the most secure password manager on the market.”

It’s always nice to see a vendor thank a researcher for helping to improve their security via responsible disclosure. Not every company responds that graciously. Some ban researchers for trying their best to advance security in a conscientious manner.

LastPass is currently in the process of fixing the vulnerability disclosed by Ormandy. Rather annoyingly for LastPass, one imagines, it was only informed about the security hole days after it had patched other security vulnerabilities found by the researcher.

While it continues with its work, LastPass recommends that users do three things. First, it urges them to launch sites directly from the LastPass vault rather than through its browser extension (the smartphone app version of LastPass is thought not to be affected).

Second, it cautions users to be on the lookout for suspicious links and email attachments that might try to phish for their credentials.

Third, it advises customer to implement 2-step verification (2SV) on any and all accounts that offer the feature.

Interested in learning more about 2SV? Check out our resources below.

Read more:

Update: LastPass says it has now resolved the issue, and has urged users to check that they are running the latest version (4.1.44 or higher). More details.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.