About 2 months after the discovery of Heartbleed, more OpenSSL vulnerabilities have now been announced. Though organizations should patch their servers, security experts have stated the latest flaws are not nearly as bad as Heartbleed.
The most critical of the new OpenSSL vulnerabilities is known as an “Injection Vulnerability”. If exploited, this flaw could result in a “man-in-the-middle attack”. Essentially, this means someone positioned on the network between your computer and a server could eavesdrop or alter encrypted data traffic. In theory, sensitive information such as email addresses, passwords, and credit card information could be at risk.
So does this impact LastPass?
In regards to LastPass, please note:- Your data stored in LastPass is not affected by this bug
- Your master password is never shared with LastPass
- Your vault is encrypted with AES 256-bit encryption before being sent to LastPass over SSL
- Our servers’ SSL libraries have been updated with the latest fixes
- You can use LastPass' tool to also identify affected sites: https://lastpass.com/opensslccs/