App designed to protect your passwords faces security issue

LastPass is advising customers against using its plugins for now

Online, Security, Passwords, 2015


Passwords and pins are the keys to a significant amount of our personal data. Security experts constantly urge users to change their passwords regularly and to make them as complex as possible. Some users avail of services, such as LastPass, which describes itself as a "password manager, auto form filler, random password generator and secure digital wallet app."

LastPass has, however, advised users to avoid its browser plugins whilst it works to fix a "major architectural problem", that may compromise its security, allowing a hacker to steal passwords. 

The issue was discovered by Travis Ormandy, a vulnerability researcher at Google. 

Ormandy informed the company of the issue, which lead to the following statement from the company.  

“We are now actively addressing the vulnerability. This attack is unique and highly sophisticated. We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post-mortem once this work is complete.”

The firm also issues a three step recommendation for users. 

  • Use the LastPass Vault as a launch pad – Launch sites directly from the LastPass vault. This is the safest way to access your credentials and sites until this vulnerability is resolved.
  • Two-Factor Authentication on any service that offers it – Whenever possible, turn on two-factor authentication with your accounts; many websites now offer this option for added security.
  • Beware of Phishing Attacks – Always be vigilant to avoid phishing attempts. Do not click on links from people you don’t know, or that seem out of character from your trusted contacts and companies. Take a look at our phishing primer.

Further details surrounding the nature of the problem are expected to follow in the coming weeks.