Warning: Newly discovered security holes in free online password manager

Password screen
Team Clark is adamant that we will never write content influenced by or paid for by an advertiser. To support our work, we do make money from some links to companies and deals on our site. Learn more about our guarantee here.

For years, Clark has talked about using password managers to store all your passwords in one place so you don’t have to remember them.

Many of these service like Dashlane and LastPass operate on a freemium business model, where you get some basic functionality for free and can then pay for additional features if you want.

Some people love using password managers. Others fear them because using them means there’s only one point of entry for a hacker to breach. The latter camp reasons that using a password manager is like putting all your money under your mattress; all it takes is one burglar to come in your home and clean you out!

That’s why we’re upset to report that LastPass confirms there is an ongoing security vulnerability in its code that could allow hackers to remotely view your passwords and even run malicious code on your device.

Read more: This secret iPhone code unlocks a hidden feature that may come in handy

How the LastPass exploit was discovered

On March 25, Google security researcher Tavis Ormandy noted a previously undiscovered flaw in the browser extension code used by LastPass.

Ormandy sent a full report of the exploit to LastPass the same day he discovered it. Now the company now has 90 days to fix the bug before Ormandy reveals what he knows to the larger security research community. (Releasing a full report at the 90-day mark is standard operating procedure for security researchers.)

“It will take a long time to fix this properly,” Ormandy noted elsewhere on Twitter. “It’s a major architectural problem.”

So LastPass has until roughly the end of June to patch the problem, lest Ormandy release his full report that explains exactly how the bug works.

Should that report fall into the wrong hands before the bug is fixed, the LastPass customer base could be put at risk.

“We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties,” the company writes on its website. “So you can expect a more detailed post mortem once this work is complete.”

This LastPass exploit is the third one Ormandy has discovered within the password manager’s code over just the last two weeks.

Here’s what you can do if you’re a LastPass user

LastPass has three recommendations for its users:

1. Don’t use the desktop browser plugin to log into websites. Go to LastPass.com instead and log into your account via the LastPass Vault. You can access the websites you want from there.

2. Use two-factor authentication on websites. Two-factor authentication is a process that requires you to go through an additional step to authenticate who you are when doing a transaction. That can mean getting a one-time use access code texted to you on your phone before you log into a site. Or it can mean making use of advanced voice recognition software for a company to verify that you are who you say you are. Those are just two possible examples.

With two-factor authentication in place, a criminal may have your password, but they don’t have your phone or your voice! So they can’t do anything with your password if they face additional barriers like these when they try to breach your account.

3. Don’t fall victim to phishing attacks. Phishing is when you receive an email from a company, requesting more information on your account or indicating there was a problem with a recent purchase or some similar ploy. But in reality, the email is just a cleverly disguised scam that’s designed to glean information from you that will ultimately empty your wallet. Here’s how to spot the warning signs of a phishing attack.

Read more: Is someone stealing your mail? There’s a new way to find out

Shopping online? Here’s how to know if you’re about to do business with a fake retail website

  • Show Comments Hide Comments