LastPass,Pihit the online service that keeps your passwords safe behind one master password, is currently not nearly as secure as it should be.
According to Google's vulnerability researcher Tavis Ormandy, there's at least one unpatched vulnerability in LastPass that allows attackers to steal passwords "from any domain."
SEE ALSO: Change this security setting on WhatsApp right nowOrmandy recently reported a few other LastPass bugs, including vulnerabilities in the LastPass add-ons for Firefox and Chrome.
I found another bug in LastPass 4.1.35 (unpatched), allows stealing passwords for any domain. Full report will be on the way shortly. pic.twitter.com/9VkV7R3vud
— Tavis Ormandy (@taviso) March 21, 2017
One security vulnerability, described in detail by Ormandy here, not only allows for an attacker to steal passwords, but -- in certain circumstances -- it can also be used to run arbitrary code on the victim's computer.
On Tuesday, LastPass announced that that particular issue has been resolved, but on Wednesday, the company acknowledged that there is an unpatched bug in its Firefox add-on.
The issue reported by Tavis Ormandy has been resolved. We will provide additional details on our blog soon.
— LastPass (@LastPass) March 21, 2017
We are aware of reports of a Firefox add-on vulnerability. Our security is investigating and working on issuing a fix.
— LastPass (@LastPass) March 22, 2017
Replying to a commenter to Tuesday's tweet, LastPass said that users needn't do anything at this point. However, the company still hasn't published anything on its official blog regarding these new security holes.
While no software is safe from security holes, vulnerabilities that affect password managers such as LastPass are particularly worrisome, as these services safeguard users' entire password collections. Especially when they come in droves, as they do these days.
This is not the first serious security issue LastPass has encountered. The service got hacked in 2011 and again in June 2015. And in 2013, a bug caused some users' Internet Explorer passwords to get exposed to the public.
UPDATE: March 22, 2017, 6:52 p.m. CET LastPass responded to our query by pointing us to their freshly published blog post, here. In the post, the company says it has worked with Ormandy to investigate and fix these vulnerabilities. The company claims it has fixed all issues now, and patches will be applied automatically for most users. According to LastPass, there is no indication that any of these vulnerabilities were exploited in the wild. The company vowed to provide a more comprehensive overview of these vulnerabilities, as well as its efforts to fix them and prevent further issues, in the future.
Topics Cybersecurity
Previous:Techies and Tankies
Next:Laboring Academia
Raise Your Hand
End of an Era by M.J. Moore
The Old Order Changeth by Sadie Stein
Laughing in the Face of Death: A Kurt Vonnegut Roundtable
We Are All at the Table Together
Decadent Prose: An Interview with Translator Kit Schluter by Sarah Gerard
YouTube revives sort by oldest video button on user channels
OpenAI quietly lobbied for weaker AI regulations
The Speaker and the Ironworker
Laughing in the Face of Death: A Kurt Vonnegut Roundtable
If They Are Not Coming For You Today
GoFundMe blasts inaction on COVID relief by sharing people's stories
Honors Galore, and Other News by Sadie Stein
New Emotion: On Kirill Medvedev by Lucy McKeon
Conspiracies, War, and Democrats
One Ring to Rule Them All by Sadie Stein
See You There: Paris Review at the Downtown Literary Festival Tomorrow by The Paris Review
Christo, Untitled, 1982 by The Paris Review
The Last Line of Defense
'Quordle' today: See each 'Quordle' answer and hints for June 21
Memory KeepersThe Carpetbaggers of TechGeForce RTX 2080 Ti & 2080 Mega BenchmarkCut the MusicIt’s Fun to Be in the DSA!Spielberg’s ChildrenCops on CampusAlabama, ShakenPoison IviesThe Arendt Center’s Dark ThinkingFriends in Stupid PlacesThe Usual SuspectsRegarding the Pain of OthersK Street TaxpocalypseNvidia GeForce RTX 2080 and RTX 2080 Ti Overclocking GuideThe Silence of the BurbsIt’s a THAAD, THAAD, THAAD WorldWeekly BafflementsThe Reaching-Out IndustryHow Education Reform Ate the Democratic Party The iPad Air is $200 off at Best Buy for one day only Best streaming deal: Sign up for NFL Sunday Ticket with YouTube TV and save over $200 Stephen King trolls Elon Musk once again over Twitter's name change Galápagos tortoise, feared extinct, has first sighting in 100 years SpaceX launches moon lander, lands booster despite tough conditions Alibaba and Tencent jointly invest in state 'Challengers' love triangle takes a bite out of 'Twilight' Smart cat shelter uses AI to let strays inside — but no dogs allowed Best gaming deals: Save on controllers, headsets, keyboards, and more during Amazon Gaming Week Chinese phone maker Oppo reportedly to restart in Nadal vs. Lehecka 2024 livestream: Watch Madrid Open for free Wordle today: The answer and hints for April 30 SpaceX lands in Atlantic Ocean, completes historic crew capsule test China’s Chery Auto to enter Thailand in first half of 2024: executive · TechNode Former WTO chief expects anti Florasis apologizes over eyebrow pencil controversy a week after Li Jiaqi’s apology · TechNode DJI refutes claims of exiting US market and relocating headquarters · TechNode Best Amazon deal: The Echo Pop is marked down to just $19.99 'Last Week Tonight with John Oliver' Season 1 is now free on YouTube Explicit deepfakes in school: How to protect students