LastPass Issues Fix for Critical Bug

Summary

A security bug was discovered that exposes credentials entered on a previously visited site.  Like any application, password managers are sometimes vulnerable to bugs.  Despite the vulnerabilities, a password manager is still safer than storing your passwords inside a browser where they can be extracted by cybercriminals or easily accessed by average users.  Security is a top priority for many popular password managers such as LastPass.  As with this announcement, LastPass is quick to react to its vulnerabilities and, if necessary, can auto-reset your passwords on about 75 websites. [1]

Impact

The bug relies on executing malicious JavaScript code alone, with no other user interaction, the bug is considered dangerous and potentially exploitable.   [1]

Vulnerable

LastPass users who have browser extensions or use the LastPass app that has not enabled an auto-update mechanism for their browser extensions or mobile apps.[1]

Recommendations

If you have auto-update on for your applications, you will not need to update LastPass.  To ensure that your device applications and web browser extensions are updated please follow the instructions below.

For the app update, the process is simple for Android and iPhone devices. 

Here’s how you do it on an iPhone:

  1. Go to your iPhone’s home screen and tap on the App Store icon.
  2. After the App Store opens, tap the Updates icon in the bottom right corner of the screen.
  3. Tap the Update All button in the top of the screen
  4. Enter your password and wait for your apps to update.  Some apps may have an alert you’ll need to respond to before the update will install, so wait a few seconds so you can acknowledge it.

Here’s how you do it on an Android:

  1. Find the Play Store in your apps and tap it to open it up.
  2. Once the Play Store loads, tap the menu button and choose My apps & games.
  3. Under the updates menu, you will see pending updates and Recently updated.  You may click on Update All or find LastPass in the list and click the Update button beside it.

For browser extensions, simply Google “How to update browser extensions for” then indicate the name of the browser you use.  If you use LastPass in more than one browser, be sure you update the browser extensions for all browsers.  The version for your browser extension should show as v4.33.0/v4.33.4. [2] [3] [4]

References

[1] https://www.zdnet.com/article/lastpass-bug-leaks-credentials-from-previous-site/?fbclid=IwAR2hTN3JHvt_eMfTas4V9ZLb9oa8zwWHy7Vh_HncSKj81qpAk0rgRwUGKYw
[2]https://www.google.com/search?q=how+to+update+explorer+browser+extensions&rlz=1C5CHFA_enUS838US838&oq=how+to+update+explorer+browser+extensions&aqs=chrome..69i57.14615j0j4&sourceid=chrome&ie=UTF-8
[3] https://lifehacker.com/how-to-update-your-apps-on-android-and-iphone-5828576
[4] https://lastpass.com/upgrade.php?fromwebsite=1&releasenotes=1