LastPass password manager suffers ‘major’ security problem
Update: The company has now released a fix that has been pushed to all affected browsers
Your support helps us to tell the story
As your White House correspondent, I ask the tough questions and seek the answers that matter.
Your support enables me to be in the room, pressing for transparency and accountability. Without your contributions, we wouldn't have the resources to challenge those in power.
Your donation makes it possible for us to keep doing this important work, keeping you informed every step of the way to the November election
Andrew Feinberg
White House Correspondent
LastPass users are being advised to avoid the password manager while it addresses a “unique and highly sophisticated” security issue.
The popular service designed to help internet users protect their online accounts and, as such, is an obvious target for cybercriminals.
LastPass hasn’t revealed any further details about the problem, but Google’s Project Zero security researcher Tavis Ormandy, who discovered it, says it’s a serious one.
“It will take a long time to fix this properly, it's a major architectural problem,” he tweeted.
Mr Ormandy won’t provide further details about how the bug can be exploited until 90 days have passed since the company was first notified, as is Project Zero’s policy.
“We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties,” wrote LastPass in a blog post.
“So you can expect a more detailed post mortem once this work is complete.”
In the meantime, LastPass recommends users enable two-factor authentication on any sites that offer the technique and beware of phishing attempts, taking care to avoid clicking on suspicious links.
It also says users should launch sites directly from the LastPass vault, describing it as “the safest way to access your credentials and sites until this vulnerability is resolved”.
However, we’d recommend disabling LastPass’ browser plugins, just to be on the safe side.
Update 3 April: LastPass has released a fix that has been pushed to all affected browsers.
“Thus far, there have been no internal or external reports to indicate this bug has been exploited,” says the company. Further details of the issue are available on the LastPass blog.
Subscribe to Independent Premium to bookmark this article
Want to bookmark your favourite articles and stories to read or reference later? Start your Independent Premium subscription today.
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies
Comments