Users should update LastPass

LastPass fixed a vulnerability where it was possible to read out the last used password. Tavis Ormandy, security expert at Google Project Zero, has found a vulnerability in LastPass.

The reported problem did not affect the encrypted password database. It is a vulnerability in the browser extensions of LastPass. Under certain circumstances the last used password might be revealed. An attacker could set up a clickjacking attack that combines different domains. Without user interaction, the gap cannot be exploited.

LastPass confirmed the bug in the company blog and also said already the problem has been resolved with an update.

LastPass users do not have to do anything, because the extensions should keep themselves up to date. It does not hurt in any case to check this explicitly for your own browser and to install the update for the corresponding add-ons. Only Chromium-based browsers are affected, but LastPass updated the extensions for Firefox and other browsers also.