You could make a case that this was a tweet heard 'round the #cybersecurity world:
"LastPass could leak the last used credentials due to a cache not being updated. This was because you can bypass the tab credential cache being populated by including the login form in an unexpected way!"
The tweet was from Google Project Zero researcher Tavis Ormandy:
We know LastPass has a ton of InfoSec fans; we've heard them mentioned at SecureWorld conferences.
However, the irony of a password manager potentially leaking passwords lit up social media with entertaining conversations like this one:
LastPass says the vulnerability is fixed
The password manager company got in on the conversation, as well, posting that it became aware of the flaw because of Google's Project Zero and that the system of vulnerability reporting worked:
"Our team recently investigated and resolved a bug affecting certain LastPass extensions. Tavis Ormandy, a security researcher from Google’s Project Zero, responsibly disclosed the issue to us. His report revealed a limited set of circumstances on specific browser extensions that could potentially allow an attacker to create a clickjacking scenario."
Those limited set of circumstances impacted users on Chrome and Opera browsers and required a considerable number of steps to implement:
"To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times. This exploit may result in the last site credentials filled by LastPass to be exposed. We quickly worked to develop a fix and verified the solution was comprehensive with Tavis."
Regardless of how difficult the exploit may be to execute, one thing remains: Security researchers likely found it by thinking like criminal hackers would.
And now those criminal hackers will have to move on to something else.
