If you’re a LastPass user like me, you’ve probably recently heard about a pretty serious security vulnerability, and been a bit concerned.
The following excerpt is from a LastPass blog post:
On 25 March, Google security researcher Tavis Ormandy reported a security finding related to the LastPass browser extensions. This was a client-side vulnerability, and, if exploited, could allow attackers to steal data and manipulate the LastPass extension.
Exploiting required luring a user to a malicious website (through phishing, spear phishing, or other attacks), or to a trusted website running malicious adware. This requires a per-user attack that must be executed through the user’s local browser.
The good news is that according to LastPass (and Tavis), the issue is now fixed.
LastPass have fixed the remote code execution bug I reported last week. ?? https://t.co/NWwqTdGbay
— Tavis Ormandy (@taviso) March 31, 2017
What do I do now?
Make sure you have the updated version of the browser extension installed – this is version number 4.1.44 or higher.
To check the version number, log into LastPass through the browser extension and select More Options > About LastPass. This will show you the software version you’re running. LastPass said Friday that most users should be automatically updated to the patched version of the extension.
If that’s not the case, download the updated extension from LastPass.com.
Why I’m sticking with LastPass
I admittedly panicked a bit when I heard about this vulnerability. In fact, I even toyed with the idea of moving to another service. But logic prevailed. After thinking about it, I decided to stick with LastPass. Here’s why:
1) Moving is a pain
2) Overall, I’ve been very happy with LastPass for a number of years
3) LastPass takes these things seriously, and is quick to act
4) The company is honest and transparent with its users
5) Software security vulnerabilities are common – new gaps are found all the time, no matter which vendor
6) No vendor can guarantee anything these days, especially when it comes to security
At the end of the day, this brand loyalty comes down to trust and transparency for me. Users weren’t waiting months for a fix, and we’ve been updated about what’s happened along the way.
‘We’re in the business of password management; security is and always will be our top priority. We greatly appreciate the work of the security community who challenges our product and works with our teams to ensure we’re delivering a secure service for our users. As a market leader, we get the best of the best testing LastPass and in return our software and our customers benefit,’ LastPass says.