> Ferenc Kun, the security engineering manager for LastPass at LogMeIn, which owns LastPass, said in an online statement that this "limited set of circumstances on specific browser extensions" could potentially enable the attack scenario described."To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times," Kun said, "any potential exposure due to the bug was limited to specific browsers (Chrome and Opera.)"
> LastPass has already patched the vulnerability, and the fix was comprehensively verified with Project Zero. Indeed, the fix was rolled out on September 13, and Kun confirmed that "we have now resolved this bug; no user action is required and your LastPass browser extension will update automatically." As a precaution, the LastPass update was deployed to all web browsers and not just Chrome and Opera.
1 comment
[ 3.9 ms ] story [ 9.8 ms ] thread> LastPass has already patched the vulnerability, and the fix was comprehensively verified with Project Zero. Indeed, the fix was rolled out on September 13, and Kun confirmed that "we have now resolved this bug; no user action is required and your LastPass browser extension will update automatically." As a precaution, the LastPass update was deployed to all web browsers and not just Chrome and Opera.