A new security vulnerability has been found in another product which is widely used. However, we are not talking about any Android application or Facebook’s products for once thankfully. This time around, we have a password manager which is extremely popular among the users which had a terrible bug.
The password manager we are talking about is LastPass which had a bug exposing passwords of its users. Since LastPass is a password manager, the primary thing that people store inside are passwords of different social media accounts and other important sites. However, we would like to inform you that your passwords were exposed for a long time by LastPass’s security flaw.
Now, it is worth mentioning that this flaw was not detected by any attackers or even LastPass. But, Google’s Project Zero research team came into action once again to find this security vulnerability. As we saw in the case of Apple too, the Project Zero team sent this vulnerability report to LastPass and we can inform that the flaw has been patched too. This is well before the team made this information public.
Ormandy wrote in a blog post, revealing specifics of the vulnerability, that
“Because do_popupregister() is never called, ftd_get_frameparenturl() just uses the last cached value in g_popup_url_by_tabid for the current tab, That means via some clickjacking, you can leak the credentials for the previous site logged in for the current tab. This will prompt if you try to clickjack filling in or copying credentials though because frame_and_topdoc_has_same_domain() returns false, This is possible to bypass because you can make them match by finding a site that will iframe an untrusted page.”
However, this is not to say that password managers should not be used from now on. In fact, this makes an even stronger case that you should use multiple password managers and not keep all your eggs in one basket. Basically, use different password managers for different type of accounts such as banking, social media and more. But we also need to mention that a personal diary remains the best option if you can carry it everywhere.