LastPass bug leaks credentials from previous site

LastPass recently investigated and resolved a bug affecting certain LastPass extensions. Tavis Ormandy, a security researcher from Google’s Project Zero, responsibly disclosed the issue to them. His report revealed a limited set of circumstances on specific browser extensions that could potentially allow an attacker to create a clickjacking scenario.

To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times. This exploit may result in the last site credentials filled by LastPass to be exposed. LastPass quickly worked to develop a fix and verified the solution was comprehensive with Tavis.

LastPass have now resolved this bug; no user action is required and your LastPass browser extension will update automatically.

Despite this vulnerability, users are still advised to rely on a password manager whenever they can. Using a password manager is many times better than leaving passwords stored inside a browser, from where they can be easily extracted by forensic tools and malware.