Privacy Tip #208 – Last Pass Patches Bug that Leaks Passwords
I am not a big fan of putting all of one’s passwords in one place, but many people use password managers. If you use Last Pass (see previous blog post about Last Pass here), be aware that it was recently advised by a Google Project Zero researcher that there was a vulnerability that made it possible for websites to steal credentials using a Chrome or Opera extension. (Last Pass subsequently announced that it has addressed the identified vulnerabilities.)
This means that when visiting a website, because of a vulnerability in the pop-up mechanism, the website may use the password from the last website visited instead of requiring the user to put the new password into the site to gain access to the account.
The risk of this vulnerability is clickjacking, which occurs when “you can leak the credentials for the previous site logged in for the current tab.” When users click on the link, it might open a malicious link instead of a trusted site.
Many security experts are fans of password managers as a way to manage complex passwords. I am always concerned about the risk of storing all passwords in one place and the possibility that they could be compromised in one fell swoop, which has happened before to Last Pass. (See previous blog post here). When using a password manager, consider adding the additional security measure of multifactor authentication as well.