LastPass Security Updates...

[Teddy Rogers]

Quote

In follow-up to recent news, we want to address in more detail two security reports that have been disclosed to our team. One report was disclosed yesterday, while the other report was responsibly reported and fixed over a year ago. Notably, both exploits do require tricking a user via a phishing attack into going to a malicious website.

The first report was responsibly disclosed to our team over a year ago by security researcher Mathias Karlsson, and fixed at that time. Karlsson recently posted his findings on the URL parsing bug. All browser clients were updated and Karlsson confirmed our fix at that time, requiring no action from our users.

The second report was made yesterday by Google Security Team researcher Tavis Ormandy, who contacted our team to report a message-hijacking bug that affected the LastPass Firefox addon. First, an attacker would need to successfully lure a LastPass user to a malicious website. Once there, Ormandy demonstrated that the website could then execute LastPass actions in the background without the user’s knowledge, such as deleting items. As noted below, this issue has been fully addressed and an update with a fix was pushed for all Firefox users using LastPass 4.0.

https://blog.lastpass.com/2016/07/lastpass-security-updates.html/

Ted.

[Loki]

Tavis is a fornicating ninja.

That is all.

[Teddy Rogers]

Yes, he has been killing it of late with some of his disclosures. Certainly developing positive status creditability against his name.

Pleased to see LastPass being proactive once these security issues have been disclosed to them, patching and releasing updates promptly...

Ted.

[Loki]

It's the fact that researchers spend months looking for bugs where as he "has a glance and notices some obvious security issues".

Seems to be single handily funding amnesty international too with his donations. Good on him.