back to article How much pass could LastPass pass if LastPass passed last pass? Login-leaking security hole fixed

LastPass has fixed a security bug that potentially allowed malicious websites to obtain the username and passphrase inserted by the password manager on the previously visited site. In other words, if you visited website A, and LastPass automatically injected a username and password for you to log in, and then you surfed to …

  1. Ken Moorhouse Silver badge

    Users who use the same username/password everywhere...

    ...were unaffected.

    But then again, they wouldn't be using LastPass.

    1. Captain Scarlet

      Re: Users who use the same username/password everywhere...

      My nan has an old diary used for her passwords, after giving in to my please don't use one password for everything routine.

  2. macjules

    "This exploit may result in the last site credentials filled by LastPass to be exposed."

    Ah, It's 2019 and there has not been a LastPass breach for at least 12 months. Mind you, I used to bank with NatWest so I should be used to, "hey so soz but we forgot to tell you that there is no security on our app. LOLZ!"

  3. Magani

    Something missing?

    It might have been helpful to have included in the article the fact that the bug only happened to users of Chrome and Opera. Firefox users weren't hit.

    As per the LP statement:"...the bug was limited to specific browsers (Chrome and Opera),..."

    1. IGotOut Silver badge

      Re: Something missing?

      I'm not 100% sure on their statement as the report says

      "you can create a popup without calling do_popupregister() by iframing popupfilltab.html (i.e. via moz-extension, ms-browser-extension, chrome-extension, etc)"

      As many now use the Chromium backend (and it's reported on the Chromium blog), I'm not sure how valid a statement that is.

    2. phuzz Silver badge

      Re: Something missing?

      From TFA: "The password manager's Chrome and Opera extensions were vulnerable, specifically."

  4. Bloodbeastterror

    "make sure they have updated"

    Easier said than done. I could see no version info in my Lastpass vault; I had to check the version on the executable, and it was still a 4.1 version from August. Nor could I see an update function; eventually I had to uninstall the 4.1 version, then download and install 4.33. Not a big deal, but equally not very helpful.

    1. Anonymous Coward
      Anonymous Coward

      Re: "make sure they have updated"

      In the plugin, select Account Options > About LastPass

    2. Stuart Halliday

      Re: "make sure they have updated"

      I found in my Windows Brave Browser that I already had 4.33.0 of LP.

      I checked the extension via Account Options>About

    3. Killing Time

      Re: "make sure they have updated"

      More Tools > Extensions > LastPass 'Details' button

  5. GnuTzu

    How much pass could LastPass pass if LastPass passed...

    ...gas Sorry, had to say it, juvenile as it is.

  6. sitta_europea Silver badge

    What fuckin' idiot had the idea of using fancy software to secure passwords anyway?

    1. Barry Rueger

      My thought exactly. Can you say "single point of failure?"

      1. Anonymous Coward
        Anonymous Coward

        It's only a single point of failure if you shove everything into it. I don't know anyone who does that even with LastPass or ANY password manager.

        None of them ever get my email, banking info or ISP stuff. Keeping my recovery route for all of those passwords in there under my control.

        It's still vastly better than reusing passwords.

  7. Anonymous Coward
    Anonymous Coward

    Still better than doing fuck all

    The problem with this type of article is that it puts a subset of users off using password managers because of "flaws"

    In this case the day to day risk is probably negligible for the vast majority of users, therefore password managers are still a net gain for your average keyboard masher.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like