A security researcher found a major vulnerability in popular password manager LastPass that could allow hackers to steal passwords and login credentials from users while using the LastPass web browser extension.
The company is working to patch the vulnerability, according to a post on the LastPass’ blog. The vulnerability, LastPass says, could allow hackers to pull off “unique and highly sophisticated” attacks. The company is keeping tight-lipped about details of the vulnerability to prevent “nefarious parties” from exploiting the problem before a patch is complete. Once the flaw is fixed, LastPass will release a “post mortem” about the vulnerability, the company says.
Tavis Ormandy, who works at Google’s Zero Day Project to uncover software vulnerabilities, discovered the vulnerability. Over the weekend, Ormandy announced via Twitter that he figured out how to use it, which he says is in the LastPass browser extension. He then alerted the company.
With over eight million users who store passwords to email, bank, and social media accounts, LastPass is a big target for hackers. This current vulnerability is the third bug Ormandy reported to LastPass. In 2016, according to Wired, Ormandy found a flaw that allowed hackers to break into user accounts.
In the same blog post telling users about the web browser extension vulnerability, LastPass suggests that its users visit websites directly from the LastPass vault, which is where all passwords are stored. “This is the safest way to access your credentials and sites until this vulnerability is resolved,” LastPass writes.
LastPass also suggests users activate two-factor authentication whenever available. (Gmail, Facebook, Twitter, and many other sites host two-factor authentication.)
Lastly, the company also warns its users to watch out for phishing attacks. Do not click on links or download attachments in email messages unless you know a friend, colleague, or a financial institution is sending you something.