Vulnerability found in LastPass password app

Vulnerability found in LastPass password app

A dangerous, previously unknown security vulnerability has been discovered in LastPass which permits attackers to remotely compromise user accounts.

LastPass is a password vault which pulls user passwords from a secure area and auto fills credentials for you. The system uses AES-256 bit encryption with PBKDF2 SHA-256 and salted hashes to protect the valuable data stored within, but according to Google Project Zero hacker Tavis Ormandy, the software contains a “bunch of critical problems” which could put user accounts at risk.

On Tuesday, the white hat researcher revealed on Twitter that he was exploring LastPass security, claiming that it only took a “quick look” to find “obvious” security problems.

According to The Register, millions of users may be at risk until the problem is patched — and it only takes a visit to a malicious website to become a victim. If an attacker is able to compromise a LastPass account, this gives them access to a treasure trove of credentials for other online services.

Continue reading →

 


Commenting Policy

We have no tolerance for comments containing violence, racism, vulgarity, profanity, all caps, or discourteous behavior. Thank you for partnering with us to maintain a courteous and useful public environment where we can engage in reasonable discourse.

You may use HTML in your comments. Feel free to review the full list of allowed HTML here.