Google’s Tavis Ormandy reported a message-hijacking bug targeting the LastPass Firefox add-on.
LastPass on Wednesday pushed a software update to Firefox users following reports of security vulnerabilities.
Marketing manager Amber Gott pointed to a pair of unrelated bugs that left the LastPass Firefox browser extension open to attack.
On Tuesday, Google Security Team researcher Tavis Ormandy reported a message-hijacking bug targeting the LastPass Firefox add-on.
If a hacker lured a LastPass user to a malicious website, he or she “could then execute LastPass actions in the background without the user’s knowledge, such as deleting items.”
The issue, which only affected Firefox users running LastPass 4.0 or later, was fixed by Wednesday.
The other bug, a URL-parsing bug discovered by security researcher Mathias Karlsson, could be used to trick the password manager into sharing codes for specific sites.
Someone on their way to Facebook, for example, may click a spoof URL that steals their passwords before logging them into the real social network.
LastPass patched the exploit more than a year ago, and gave Karlsson a $1,000 bounty for his help.
“As always, we appreciate the work of the security community to challenge our product and ensure we deliver a secure service for our users,” Gott said, thanking Karlsson and Ormandy, “and others in the security community,” for their disclosures.
“We value their work that helps us build a stronger, more secure product,” she added.
Despite LastPass’s updates, users should follow some general best practices for online security.
That includes remaining alert and steering clear of possible phishing attacks, using a different and unique password for every online account, and turning on two-factor authentication when possible.
The password manager also suggests creating a strong master code for LastPass, and running antivirus software on a regular basis.