Security Flaws Found in LastPass Extensions for Chrome, Firefox


Google security researcher Tavis Ormandy recently discovered two security flaws affecting the browser extensions for Chrome and Firefox for the LastPass password manager.

In a blog post published yesterday, LastPass stated that the company's investigation hadn't found that any sensitive user data was compromised, and that all disclosed vulnerabilities had been patched in updates to the affected browser extensions.

The latest versions of the extensions are as follows:

  • Firefox: 4.1.36
  • Chrome:
  • Edge: 4.1.30
  • Opera: 4.1.28

"To prevent these issues in the future, we are reviewing and strengthening our code review and security processes in place today, particularly around new and experimental features," LastPass stated.

"It goes without saying that security is fundamental to what we do," the company added. "We strive for transparency in responding to these issues."

In response, Ormandy noted that the company responded to his notifications within 24 hours and tweeted, "Very impressed with how fast @LastPass responds to vulnerability reports. If only all vendors were this responsive."

Rapid7 research director Tod Beardsley told eSecurity Planet by email that it's important to understand that regardless of flaws, password managers are still greatly preferable to human generated passwords. "The risk associated with password reuse is far, far greater than the risk associated with a zero day vulnerability in a particular password manager," he said.

According to Secunia Research at Flexera Software's Vulnerability Review 2017, researchers recorded a total of 17,147 vulnerabilities in 2,136 software products from 246 vendors in 2016.

Notably, 713 vulnerabilities were discovered in 2016 in the five most popular browsers (Chrome, Firefox, Opera, Safari and Internet Explorer), a 27.5 percent decrease from 2015.

And while 81 percent of all vulnerabilities had patches available on the day of disclosure, the report states that 2016 actually saw a decrease in patch rates.

Separately, a recent CBT Nuggets survey of 2,039 U.S. respondents found that while 65.9 percent of respondents said having their personal information compromised is a "medium" or "huge" risk, just 46.6 percent avoid saving private passwords on their computers, and just 56.6 percent use two-factor authentication to keep accounts secure.

When asked why they didn't follow basic security recommendations, 40 percent said they were too lazy to do so, found it to be too inconvenient, or just didn't care.