Password manager LastPass is advising users to avoid using its browser plugins while it battles to fix a “major architectural problem”, which could allow an attacker to steal passwords or execute code.
The vulnerability was discovered by Tavis Ormandy, a security researcher at Google, who tweeted about its existence over the weekend. Keeping with responsible disclosure norms, Ormandy did not publicly state how the bug is exploited, and informed LastPass of its existence.
In a warning to users, the password manager firm wrote: “We are now actively addressing the vulnerability. This attack is unique and highly sophisticated. We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post-mortem once this work is complete.”
It detailed three steps users could take to keep themselves safe: launch sites directly from the LastPass Vault; use two-factor authentication; and beware of phishing attacks.
For more information about our work, please visit www.safeinwarwickshire.com/cybercrime
Cyber Aware is a cross-government campaign, funded by the National Cyber Security Programme. They aim to measurably and significantly improve the online safety behaviour and confidence of consumers and small businesses (SMEs).
Get Safe Online is the UK’s leading source of factual and easy-to-understand information on online safety. Their website offers advice on how you can protect yourself, your computers and devices, and your business against the likes of fraud, identity theft, viruses and other potential online problems