TIME STAMP: 1:15 PM ET
Security is fundamental to what we do here at LastPass. Our first priority is always responding to and fixing reports as quickly as possible.
In follow-up to recent news, we want to address in more detail two security reports that have been disclosed to our team. One report was disclosed yesterday, while the other report was responsibly reported and fixed over a year ago. Notably, both exploits do require tricking a user via a phishing attack into going to a malicious website.
The first report was responsibly disclosed to our team over a year ago by security researcher Mathias Karlsson, and fixed at that time. Karlsson recently posted his findings on the URL parsing bug. All browser clients were updated and Karlsson confirmed our fix at that time, requiring no action from our users.
The second report was made yesterday by Google Security Team researcher Tavis Ormandy, who contacted our team to report a message-hijacking bug that affected the LastPass Firefox addon. First, an attacker would need to successfully lure a LastPass user to a malicious website. Once there, Ormandy demonstrated that the website could then execute LastPass actions in the background without the user’s knowledge, such as deleting items. As noted below, this issue has been fully addressed and an update with a fix was pushed for all Firefox users using LastPass 4.0.
We know the LastPass community is very security savvy, but as a reminder LastPass strongly recommends the following general best practices for online security:
- Beware of phishing attacks. Do not click on links from people you don’t know, or that seem out of character from your trusted contacts and companies.
- Use a different, unique password for every online account.
- Use a strong, secure master password for your LastPass account that you never disclose to anyone, including us.
- Turn on two-factor authentication for LastPass and other services like your bank, email, Twitter, Facebook, etc.
- Keep a clean machine by running antivirus and keeping your software up-to-date.
Thank you again to Tavis and Mathias, and others in the security community, for their responsible disclosure. We value their work that helps us build a stronger, more secure product.
We want to share a quick update with the LastPass community about important fixes that we have made in response to two recent security reports. Our team worked directly with the security researchers to verify the reports made and issue a fix to LastPass users.
The recent report only affects Firefox users. If you are a Firefox user running LastPass 4.0 or later, an update will be pushed via your browser with the fix in version 4.1.21a. If you would like to update your client proactively, you can update with our download link here: https://lastpass.com/lastpassffx. You can check which version you are running in your LastPass browser addon, under the More Options menu in About LastPass. If you are running LastPass 3.0, you are not impacted and do not need to update.
Other browsers are not impacted by this report, and users do not need to take action for other browsers.
As always, we appreciate the work of the security community to challenge our product and ensure we deliver a secure service for our users. More information on these fixes will be posted here shortly.