Password manager LastPass fixes security flawA bug allowed any malicious site to potentially get your login and password. LastPass fixed the problem in under one day.
A couple of big flaws in a password manager are now fixed. Security researcher Mathias Carlson found a flow in the password manager's LastPass. What he found was a bug that allowed him to get passwords due to LastPass's autofill function. When you use LastPass, you have an option for the extension to automatically fill out your credentials. Carlson found that LastPass would look at only part of a web address to determine whether to fill out forms. So, he tested it. Sure enough the top level URL did not determine whether LastPass would auto fill information. The password manager could be fooled if a URL included other language. In short, a LastPass user could have their information compromised. By visiting a malicious site if they weren't paying attention to the address bar. The researcher reported this to Last Pass and the issue was fixed in under a day. Last Pass says that all browser clients were updated and its users do not need to do anything to be protected. Carlson received a bug bounty of $1000 Many companies reward people for reporting bugs. For example, Google said it typically pays from $500 to $100,000 for certain bug reports related to its browser, Chrome. Speaking of Google, another bug was found by a Google security team researcher related to LastPass' Firefox addon. This flaw could allow remote control of a user's LastPass account. The company has already pushed a fix to users. If you use Firefox and you wanna check if you're updated, you can go to LastPass.com/lastpassffx. And a word of general advice, Pay attention to addresses in your browser. That's it for this tech news update, I'm Iya Zactar, and you can stay on top of the biggest stories at cnet.com/update. [MUSIC]