|01 Mar 2011||#1|
| || |
LastPass XSS vulnerability found
LastPass XSS vulnerability found, website and browser add-ons affected (updated)
Mike Cardwell, the Stallmanite who recently discovered a fantastically covert way of working out which Web services you're currently logged in to, has found a nasty XSS vulnerability in the LastPass password manager. The cross-site scripting (XSS) vulnerability not only allows nefarious types to see which sites you've recently logged in to, but it also provides access your email address and password reminder.
Update: LastPass has now implemented HSTS and a few other features to make their website and browser add-ons a lot harder to attack in the future.
Cross Site Scripting vulnerability reported, fixed
While no client data was impacted, we were notified at ~3pm Eastern time yesterday of a non-persistent cross site scripting vulnerability on the LastPass.com website. By 5:30pm it was fixed, tested and deployed; closing the hole. It's important to note that this was not a flaw with the extensions, and could only be potentially exploited if you visited a malicious site that was setup to exploit this flaw while you were logged into LastPass.
|My System Specs|
|Similar help and support threads for2: LastPass XSS vulnerability found|
|Lastpass icon is taking up a whole row on the top of the browser||Browsers & Mail|
|Zero-day vulnerability found in Adobe X||Security News|
|Zero day vulnerability found in Windows MHTML renderer||Security News|
|LastPass Acquires Xmarks!||Chillout Room|
|LastPass Chrome Dev problem||Browsers & Mail|
|Decade-old vulnerability found in Windows||News|
|Critical vulnerability found in Adobe Flash Player||News|