CNET también está disponible en español.

Ir a español

Don't show this again

LastPass password vault reportedly not so secure

A security researcher with a record of hunting down holes finds a big one that could give hackers access to your online accounts. LastPass says, though, that the flaw has since been fixed.

Close
Drag
Autoplay: ON Autoplay: OFF

Editor's note: This story has been updated with news of LastPass fixing the hole. See below.

Turns out even LastPass, a service promoted as a password "vault," might be putting its users at risk of being hacked.

A security researcher with an established record of tracking down security flaws has found a so-called zero-day hole -- a software vulnerability that the software's makers don't know about -- that could let hackers remotely break into LastPass' millions of accounts. It takes only a visit to a malicious website to become a victim.

White hat researcher Tavis Ormandy was first to identify the problem, publishing a tweet first noticed by The Register.

Ormandy followed up with a tweet saying that he sent a full report to LastPass and next up will look at a rival password manger, 1Password.


Neither Ormandy nor LastPass immediately returned a request for confirmation and more details on how the hack works.

Update, 1:25 p.m. PT: A LastPass spokeswoman confirmed that the company verified Ormandy's reports and worked quickly to issue a fix for the vulnerability. She pointed to a blog explaining the problem to users and recommended users update LastPass on their browsers.

The blog confirms that Ormandy, a Google Security Team researcher, "contacted our team to report a message-hijacking bug that affected the LastPass Firefox add-on."

"First, an attacker would need to successfully lure a LastPass user to a malicious website," the blog says. "Once there, Ormandy demonstrated that the website could then execute LastPass actions in the background without the user's knowledge, such as deleting items...(T)his issue has been fully addressed and an update with a fix was pushed for all Firefox users using LastPass 4.0."