LastPass password manager suffers ‘major’ security problem
Update: The company has now released a fix that has been pushed to all affected browsers
Your support helps us to tell the story
From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.
At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.
The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.
Your support makes all the difference.LastPass users are being advised to avoid the password manager while it addresses a “unique and highly sophisticated” security issue.
The popular service designed to help internet users protect their online accounts and, as such, is an obvious target for cybercriminals.
LastPass hasn’t revealed any further details about the problem, but Google’s Project Zero security researcher Tavis Ormandy, who discovered it, says it’s a serious one.
“It will take a long time to fix this properly, it's a major architectural problem,” he tweeted.
Mr Ormandy won’t provide further details about how the bug can be exploited until 90 days have passed since the company was first notified, as is Project Zero’s policy.
“We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties,” wrote LastPass in a blog post.
“So you can expect a more detailed post mortem once this work is complete.”
In the meantime, LastPass recommends users enable two-factor authentication on any sites that offer the technique and beware of phishing attempts, taking care to avoid clicking on suspicious links.
It also says users should launch sites directly from the LastPass vault, describing it as “the safest way to access your credentials and sites until this vulnerability is resolved”.
However, we’d recommend disabling LastPass’ browser plugins, just to be on the safe side.
Update 3 April: LastPass has released a fix that has been pushed to all affected browsers.
“Thus far, there have been no internal or external reports to indicate this bug has been exploited,” says the company. Further details of the issue are available on the LastPass blog.
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies
Comments