Mathias Karlsson, a security researcher at Detectify Labs, writes:
Stealing all your passwords by just visiting a webpage. Sounds too bad to be true? That’s what I thought too before I decided to check out the security of the LastPass browser extension.
In his article, Karlsson explains how he was able to trick LastPass into believing that it was on the real Twitter website, and cough up the users’ credentials because of a bug in the LastPass password manager’s autofill functionality.
The same technique could have been used to steal passwords associated with other websites.
Karlsson recommends that LastPass users disable the autofill functionality and enable multi-factor authentication for better security.
Although his discovery is troubling, I agree with Karlsson when he points out that using a password manager is still better than reusing passwords on different websites.
PS. Well-known vulnerability researcher Tavis Ormandy has also tweeted overnight that he has also found a flaw in LastPass.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.