White hat hacker Tavis Ormandy has unearthed two serious vulnerabilities in LastPass, the cloud-based password management service. Ormandy, who is a member of Google’s crack Project Zero security team, found that both the LastPass Chrome and Firefox extensions have exploitable content script that malicious webpages can attack to extract usernames and passwords.
LastPass has welcomed Ormandy’s tip-off and insists that no data has been lost or compromised and that all holes are now filled. Still, users are encouraged to download the latest version just to make sure – we had to temporarily de-install/remove the Chrome extension and simply re-installed it. Easy enough.