LastPass is advising customers against using its plugins for now
Passwords and pins are the keys to a significant amount of our personal data. Security experts constantly urge users to change their passwords regularly and to make them as complex as possible. Some users avail of services, such as LastPass, which describes itself as a "password manager, auto form filler, random password generator and secure digital wallet app."
LastPass has, however, advised users to avoid its browser plugins whilst it works to fix a "major architectural problem", that may compromise its security, allowing a hacker to steal passwords.
The issue was discovered by Travis Ormandy, a vulnerability researcher at Google.
Ah-ha, I had an epiphany in the shower this morning and realized how to get codeexec in LastPass 4.1.43. Full report and exploit on the way. pic.twitter.com/vQn20D9VCy— Tavis Ormandy (@taviso) March 25, 2017
Ormandy informed the company of the issue, which lead to the following statement from the company.
“We are now actively addressing the vulnerability. This attack is unique and highly sophisticated. We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post-mortem once this work is complete.”
The firm also issues a three step recommendation for users.
Further details surrounding the nature of the problem are expected to follow in the coming weeks.