"Because do_popupregister() is never called, ftd_get_frameparenturl() just uses the last cached value in g_popup_url_by_tabid for the current tab," Ormandy wrote.
#Lastpass extension password
In some cases, this unexpected method caused the popups to open with a password of the most recently visited site. In certain situations, websites could produce a popup by creating an HTML iframe that linked to the Lastpass popupfilltab.html window rather than through the expected procedure of calling a function called do_popupregister(). In a write-up that became public on Sunday, Ormandy said the flaw stemmed from the way the extension generated popup windows. The vulnerability was discovered late last month by Google Project Zero researcher Tavis Ormandy, who privately reported it to LastPass. This, understandably, raised concerns that a breach took place.Įven if LastPass wasn’t actually compromised, it’s still a good idea to fortify your account with multifactor authentication, which uses outside sources to verify your identity before you log in to your account.Developers of the LastPass password manager have patched a vulnerability that made it possible for websites to steal credentials for the last account the user logged into using the Chrome or Opera extension. As the original poster points out in a tweet, some were also alerted of an attempt from Brazil, while other attempts were traced back to different countries.
Other users quickly responded to the post, noting that they experienced something similar. He claims that LastPass warned him of a login attempt from Brazil using his master password. Reports started cropping up on the Hacker News forum after a LastPass user created a post to highlight the issue. I posted this to Hacker News and it gathered 192 comments, including 7 separate reports of master password breaches & login attempts from the same Brazil IP range. Something very strange and bad is happening to a lot of people's accounts. We will continue to regularly monitor for unusual or malicious activity and will, as necessary, continue to take steps designed to ensure that LastPass, its users and their data remain protected and secure. It is also important to reiterate that LastPass’ zero-knowledge security model means that at no time does LastPass store, have knowledge of, or have access to a users’ Master Password(s). These alerts were triggered due to LastPass’s ongoing efforts to defend its customers from bad actors and credential stuffing attempts. As a result, we have adjusted our security alert systems and this issue has since been resolved. Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. However, out of an abundance of caution, we continued to investigate in an effort to determine what was causing the automated security alert e-mails to be triggered from our systems. We quickly worked to investigate this activity and at this time we have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of this credential stuffing, nor have we found any indication that user’s LastPass credentials were harvested by malware, rogue browser extensions or phishing campaigns. However, late Tuesday night LastPass vice president of product management Dan DeMichele released a statement to The Verge with a more detailed explanation, that says at least some of the alerts were “likely triggered in error,” due to an issue that LastPass has now resolved.Īs previously stated, LastPass is aware of and has been investigating recent reports of users receiving e-mails alerting them to blocked login attempts.
“We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure.” “It’s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party,” Basco-Albaum said. Nikolett Bacso-Albaum, the senior director of LogMeIn Global PR initially told The Verge that the alerts users received were related “to fairly common bot-related activity,” involving malicious attempts to log in to LastPass accounts using email addresses and passwords that bad actors sourced from past breaches of third-party services (i.e. The password manager maintains that it was never compromised, and users’ accounts haven’t been accessed by bad actors.
LastPass says there’s no evidence of a data breach following users’ reports that they were notified of unauthorized login attempts, as reported by AppleInsider.
0 kommentar(er)
