Major LastPass security bug puts millions of accounts at risk

Millions of users of cloud-based password store LastPass could be at risk from hackers after a huge security hole was revealed.

The so-called ‘zero-day hole’ – a software vulnerability that the maker is initially unaware of – could enable cybercriminals to remotely break into accounts. What makes the LastPass flaw significant compared to other such vulnerabilities is that the service is a password manager, meaning numerous passwords would be exposed if an account was hacked.

And users could be at risk of being hacked, simply by clicking on a malicious web link, reports The Register.

Established security researcher Tavis Ormandy, first noticed the problem, tweeting: “Are people really using this lastpass thing? I took a quick look and can see a bunch of obvious critical problems. I’ll send a report asap.”

The security expert has an impressive record of flagging up potential risks to major tech companies having previously highlighted weaknesses in software from Kapersky and Symantec.

He later confirmed he had contacted LastPass about his concerns and that the firm was working on the problem.

“Full report sent to LastPass, they’re working on it now. Yes, it’s a complete remote compromise,” he tweeted.

The researcher also stated he would check password manager 1Password for any security holes next.

So far, there hasn’t been any news of cyber attacks relating to the security hole so LastPass may be able to patch the software in time to prevent any private information being leaked.

“Our team worked directly with the security researchers to verify the reports made and worked quickly to issue a fix for LastPass users. To apply the fixes, we recommend that users update LastPass on their browsers.”

More information for LastPass users will be posted on the company’s blog shortly.

Earlier this week, reports claimed O2 customer information was being sold on the dark web by cyber criminals.

The telecoms firm stated its security had not been breached and that the stolen information was the result of the theft of passwords from gaming website XSplit several years ago.

Hackers then used these in a process known as ‘credential stuffing’ where the automated injection of breached username and password pairs are used to fraudulently gain access to user accounts.


[Source: Wired]