In 2017, the password manager patched another major security flaw in its browser extension - the Achilles' heel of most password managers - that could have allowed hackers to manipulate a LastPass account. One was discovered by security researcher Mathias Karlsson, the other by Google Project Zero's Tavis Ormandy, the latter of which prompted LastPass to urge users to update their browsers. Read more: Bitwarden review: The best free password manager for 2021 That same year, though, Asana Security Head Sean Cassidy discovered a phishing vulnerability created by a CSRF bug, and a research paper emerged detailing another CSRF bug and how LastPass' Safari bookmarklet option was found vulnerable if users were tricked into clicking certain parts of an attacker's site. Its most notable breach was in 2015 and is the only breach noted on LastPass' official site. This isn't the first time LastPass - whose source code is proprietary, rather than open-source - has faced a security scare or criticism over its privacy practices.
"However, out of an abundance of caution, we continued to investigate in an effort to determine what was causing the automated security alert e-mails to be triggered from our systems." "We quickly worked to investigate this activity and at this time we have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of this credential stuffing, nor have we found any indication that users' LastPass credentials were harvested by malware, rogue browser extensions or phishing campaigns," DeMichele said.
0 kommentar(er)
