January 23, 2020

January 23, 2020

Subscribe to Latest Legal News and Analysis

January 22, 2020

Subscribe to Latest Legal News and Analysis

January 21, 2020

Subscribe to Latest Legal News and Analysis

Privacy Tip #208 – Last Pass Patches Bug that Leaks Passwords

I am not a big fan of putting all of one’s passwords in one place, but many people use password managers. If you use Last Pass (see previous blog post about Last Pass here), be aware that it was recently advised by a Google Project Zero researcher that there was a vulnerability that made it possible for websites to steal credentials using a Chrome or Opera extension. (Last Pass subsequently announced that it has addressed the identified vulnerabilities.)

This means that when visiting a website, because of a vulnerability in the pop-up mechanism, the website may use the password from the last website visited instead of requiring the user to put the new password into the site to gain access to the account.

The risk of this vulnerability is clickjacking, which occurs when “you can leak the credentials for the previous site logged in for the current tab.” When users click on the link, it might open a malicious link instead of a trusted site.

Many security experts are fans of password managers as a way to manage complex passwords. I am always concerned about the risk of storing all passwords in one place and the possibility that they could be compromised in one fell swoop, which has happened before to Last Pass. (See previous blog post here). When using a password manager, consider adding the additional security measure of multifactor authentication as well.

Copyright © 2020 Robinson & Cole LLP. All rights reserved.


About this Author

Linn F. Freedman, Robinson Cole Law Firm, Cybersecurity and Litigation Law Attorney, Providence

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She provides guidance on data privacy and cybersecurity compliance to a full range of public and private clients across all industries, such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine, and charitable organizations. Linn is a member of the firm's Business Litigation Group and chairs its Data Privacy + Cybersecurity Team. She is also a member of the Financial Services Cyber-Compliance Team (CyFi ...