In the last few days, LastPass, a popular password manager, has patched a bug that cybercriminals could have exploited. The vulnerability was discovered by staff at Google Project Zero and they highlighted that it could be used to steal user security credentials.
In a hacking technique called clickjacking, an extension-generated pop-up window might be exploited in a way that would leak the password of the user’s last visited website. The attack occurs when the pop-up opens a malicious website through either the Opera or Chrome web browser.
The patch should have been delivered automatically on September 12th. However, users should make sure that they are running version 44.33.0.
This isn’t the first time that LastPass has had to tighten up the security of its browser extension. Prior vulnerabilities have been patched by LastPass, including those on the Firefox and Chrome browsers, as well as in its fingerprint verification system.
Don’t remove your password manager just yet
Password managers are still one of the best tools for securing your password and security credentials. The latest vulnerability simply highlights that cybersecurity is never perfect or completely infallible. We should also point out that there is no evidence that the vulnerability has been exploited by hackers.
In fact, in March 2019, LastPass was given the Best Product in Identity Management award at the 7th annual Cyber Defense Magazine InfoSec Awards.
One of the best ways to strengthen password security is by using multi-factor authentication. LastPass, along with other password managers support multi-factor authentication. There are several options for the second security check. A popular choice is the LastPass Authenticator app, which users can download on smartphones running iOS, Android, or Windows Phone operating systems.
Password security is a vital part of the Cyber Essentials certification. Contact OmniCyber Security to find out how our expert team can help your organisation achieve Cyber Essentials.