![]() ![]() "By browsing this URL: the browser would treat the current domain as while the extension would treat it as ," Karlsson explained. This specific vulnerability resided in the autofill functionality of the LastPass browser extension, where a faulty regular expression for parsing the URL was allowing an attacker to spoof the targeted domain. Join our insightful webinar! Join the Session □ Mastering API Security: Understanding Your True Attack Surfaceĭiscover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Similar Old Bug in LastPass Password Manager:Ĭoincidentally, another security researcher Mathias Karlsson also announced that he had uncovered some issues in LastPass, that has already been patched by the company.Ī specially crafted URL is enough to take complete control of its user's accounts.Īs Karlsson explained in a blog post published today, an attacker could send a specially-crafted URL to the victim in order to steal passwords from his/her vault. Since LastPass is working on a fix to the zero-day vulnerability, technical details about the issues have not been disclosed by the researcher.Īlso Read: Best Password Manager - For Windows, Linux, Mac, Android, iOS and Enterprise Once compromise a victim's LastPass account, hackers would be able to access a treasure trove of passwords for victim's other online services. I'll send a report asap," Ormandy revealed on Twitter. " Are people really using this LastPass thing? I took a quick look and can see a bunch of obvious critical problems. Google Project Zero Hacker Tavis Ormandy discovered several security issues in the software that allowed him to steal passwords stored with LastPass. However, the password manager isn't as secure as it promises.Īlso Read: Popular Password Managers Are Not As Secure As You Think ![]()
0 Comments
Leave a Reply. |