Cybersecurity Threat Advisory 0049-19: LastPass Bug Leaks Credentials From Previous Site
What is the threat?
Why is this noteworthy?
What is the exposure or risk?
Since LastPass is widely used in both the business and personal worlds, and since Chrome and Opera users make up a significant portion of web browser traffic, this vulnerability has a high probability of being exploited both inside and outside of the business. It is critically important, however, not to dissuade users from leveraging password managers (including LastPass) to help protect themselves by creating and storing unique passwords for every website and service. While a password manager, like any software, is likely to have vulnerabilities and other code bugs; not using a password manager leads to password re-use and over-use of password reset protocols – practices which are known to lead to the theft of credentials and information and/or to the ability of threat actors to socially engineer such theft. LastPass has released updates to the software and Chrome and Opera plugins which remove this vulnerability and should be applied immediately.
What can you do?
- If users have not enabled or have disabled the auto-update mechanism for their LastPass browser extensions, they’re advised to perform a manual update as soon as possible.
- User education on the nature of the vulnerability and how it should not keep them from using password managers is critical in order to avoid users lowering their security stance due to the perception of a security issue from this isolated incident.
- Standard user precautions should be stressed – avoiding clicking any links in emails or opening web pages that they do not need to visit are key in avoiding disguised links and possible attack sites.
- Standard organizational protocols for ensuring software is updated regularly and vulnerability scanning is performed at least quarterly will help identify vulnerable versions of LastPass and bring them up-to-date.
- Enabling two-factor authentication for any devices and websites/services using LastPass should be mandated by company policy. Enabling 2FA/MFA for all sites and services that support such enhanced logins (with or without LastPass) is always recommended.
- Logging out of LastPass and closing the web browser when finished browsing the internet should become every users’ routine – this removes the “latent” credential information that is used in this attack to gain previous login information.
For more in-depth information about the recommendations, please visit the following link:
If you have any questions, please contact our Security Operations Center.
Find Trouble Before Trouble Finds You.