Google’s Project Zero security team found a LastPass bug that exposed user credentials on a website they previously visited. Lastpass version 4.33.0 fixed the bug on September 12 and the details are now public.
Tavis Ormandy of Project Zero wrote a bug report:
I noticed that you can create a popup without calling do_popupregister() by iframing popupfilltab.html (i.e. via moz-extension, ms-browser-extension, chrome-extension, etc). It’s a valid web_accessible_resource.
Because do_popupregister() is never called, ftd_get_frameparenturl() just uses the last cached value in g_popup_url_by_tabid for the current tab. That means via some clickjacking, you can leak the credentials for the previous site logged in for the current tab.
This means that if you have the LastPass browser extension, an attacker could send you a malicious URL disguised with Google Translate. If a user visited the URL, the attacker could extract their account credentials from a previously visited website that you are logged in for.
Project Zero found the bug and privately reported it to LastPass. So far there is no evidence this bug was exploited in the wild. In any case, LastPass 4.33.0 fixed the problem. This doesn’t necessarily mean you should abandon LastPass or password managers in general. But if you’re concerned, maybe you could explore password salts below.