Stored Passwords Opened to Hackers with Major LastPass Flaw


Password managers seem like a great idea, given rampant password reuse, poor abilities to create strong passwords by the average user and the sheer number of credentials we’re supposed to remember. But major vulnerabilities have been found in LastPass—opening the door to a full remote compromise for its users.

Independent security researcher Tavis Ormandy said that the zero-day flaw can be exploited using a drive-by technique with a malicious website. If successful, the attacker gains the digital keys to the kingdom—all of the credentials that the user has stored for online services.

“Are people really using this lastpass [sic] thing?” Ormandy tweeted. “I took a quick look and can see a bunch of obvious critical problems.”

One Ormandy Twitter follower responded, “I’m perplexed anyone uses an online service to store passwords”—to which Ormandy responded, “Yeah, me too.”