INSUBCONTINENT EXCLUSIVE:
The popular password manager LastPass has released a patch for a bug that would have allowed malicious websites to extract passwords that
were previously entered using the service's browser extension.The bug was first discovered by Google Project Zero researcher Tavis Ormandy
who disclosed the vulnerability to the company early enough that it could release a patch before it was exploited in the wild.LastPass has
since fixed the issue by deploying an automatic update to all browsers but it still recommended that users verify they're running the latest
version of the software.The bug itself works by luring users to visit a malicious website where their LastPass browser extension is tricked
into using a password from a previously visited website
According to Ormandy, attackers could even use a service such as Google Translate to disguise a malicious URL and trick unsuspecting users
into visiting a rouge site.The update should be applied to LastPass automatically according to the company but it is still worth checking to
see if you're running the latest version of the service's browser extension
This is especially true for users who are running a browser that allows you to disable automatic updates for extensions.Version 4.33.0 is
the latest version of the extension and according to LastPass, Chrome and Opera are the only web browsers that are vulnerable
However, the company has deployed its latest patch to all browsers as a precautionary measure
the same way that software should be patched to the latest version, so to should browser extensions as cybercriminals are always looking for
new ways to gain access to user credentials and other sensitive information.Via The Verge
