LastPass security flaws have recently been disclosed, and users are rightfully concerned. The service is a widely used password manager, and up until now, there were no reasons for concern. However, a security researcher has revealed that LastPass has weak spots that make it a target for hackers.
The LastPass security flaws have been pointed out by Tavis Ormandy, a renowned information security engineer, that tweeted his finding on July 27. Ormandy’s tweet reads “Are people really using this lastpass thing? I took a quick look and can see a bunch of obvious critical problems. I’ll send a report asap”.
Tavis Ormandy showed revealed how attackers could lure users to a malicious website through a message-hijacking bug that up until now affected the password manager’s addon. Once entering entered the website, it could have executed LastPass actions without the individual’s knowledge.
Other experts were quick to question Ormandy’s discoveries and also admonish him for posting the issue on Twitter instead of just privately informing the company. Some, however, have jumped to defend the security engineer by saying that public warnings are of use.
Following the disclosure of LastPass’ vulnerabilities, the software development company announced it had fixed the flaws in less than 24 hours after the worrying tweet. LastPass reported that the uncovered security issues had been identified and resolved, and thanked Ormandy for its work. The company assures its customers that their private information is safe from hackers.
LastPass also said that the problem only targeted Firefox users and people using other browsers do not need to take any action. The company has pushed a fix for Firefox users that are using LastPass 4.0.
“As always, we appreciate the work of the security community to challenge our product and ensure we deliver a secure service for our users. More information on these fixes will be posted here shortly” said LastPass through a recent blog post.
The company has also listed a few recommendations for its community members. Users are advised to use a different password for each of their online accounts and make sure it is a strong one, to beware of pishing websites, run and update an antivirus, and use two-factor authentication. In the meanwhile, the company will continue to work on providing an even more secure product.
IMAGE SOURCE: slashgear.com