Password manager LastPass had an exploit that could be abused to reveal a user’s credentials. The company has fixed the issue in its latest update, according to a blog post Monday. The problem was first found in late August by Tavis Ormandy, a security researcher from Google’s Project Zero, a team dedicated to finding exploits that can be abused by hackers.
For a hacker to take advantage of the bug, victims would have to be using the Chrome or Opera browser with the LastPass extension and then enter their password multiple times on a fake website. After several attempts, the fake site would allow a hacker to see the user’s LastPass credentials used on a previous site. Once the exploit was discovered, Ormandy informed LastPass of the issue.
LastPass v4.33.0 went live for all browsers on Friday and contains the fix for the bug. The company says no user action is required because the LastPass browser extension will update automatically.