Illustration by Alex Castro / The Verge
LastPass has patched a bug that would have allowed a malicious website to extract a previous password entered by the service’s browser extension. ZDNet reports that the bug was discovered by Tavis Ormandy, a researcher in Google’s Project Zero team, and was disclosed in a bug report dated August 29th. LastPass fixed the issue on September 13th, and deployed the update to all browsers where it should be applied automatically, something LastPass users would be smart to verify.
The bug works by luring users onto a malicious website, and fooling the browser extension to use a password from a previously visited website. Ormandy notes that attackers could use a service like Google Translate to disguise a malicious URL and trick vulnerable…