Go to top of page

LastPass fixes password-revealing flaw

Priority Level: 
Moderate
29 July 2016

Researchers have found vulnerabilities in a popular password manager that attackers could potentially exploit to access passwords to sensitive online accounts.

LastPass, has reported a vulnerability affecting  a LastPass Firefox add-on. An attacker could lure a LastPass user to a malicious website and execute actions in LastPass without the user knowing.

Additionally, a vulnerability in the autofill function could allow malicious individuals to gain access to users' passwords.

LastPass has since released a fix for these problems. Firefox users running LastPass 4.0 or later have received a fix through a 'push update' via their browser. Alternatively, users can receive the update here.

You are advised to apply these updates as quickly as possible and enable automatic updates wherever possible. Stay Smart Online has information on updating software.

The size of the security update is around 1.6MB, depending on your operating system and the existing updates on your computer or mobile. If you are using a mobile data network, consider the cost of performing this update, with respect to your mobile data usage plan and allowed download limits. If you are unsure of the expected cost, seek clarification with your mobile data provider.

The security researcher who discovered the flaw stated that any risks posed by vulnerabilities in password managers outweighed the risk of using poorly secured passwords, particularly through reusing the same password on multiple websites.

More information

Stay Smart Online has information protecting your identity online and good password use.

The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.