LastPass password vault reportedly not so secure - CNET

Editor's note: This story has been updated with news of LastPass fixing the hole. See below.

Tus out even LastPass, a service promoted as a password "vault," might be putting its users at risk of being .

A security researcher with an established record of tracking down security flaws has found a so-called zero-day hole -- a software vulnerability that the software's makers don't know about -- that could let hackers remotely break into LastPass' millions of accounts. It takes only a visit to a malicious website to become a victim.

White hat researcher Tavis Ormandy was first to identify the problem, publishing a tweet first noticed by The Register.

Normandy followed up with a tweet saying that he sent a full report to LastPass and next up will look at a rival password manger, 1Password.

Neither Normandy nor LastPass immediately retued a request for confirmation and more details on how the hack works.

Update, 1:25 p.m. PT: A LastPass spokeswoman confirmed that the company verified Normandy's reports and worked quickly to issue a fix for the vulnerability. She pointed to a blog explaining the problem to users and recommended users update LastPass on their browsers.

The blog confirms that Normandy, a Google Security Team researcher, "contacted our team to report a message-hijacking bug that affected the LastPass Firefox add-on."

"First, an attacker would need to successfully lure a LastPass user to a malicious website," the blog says. "Once there, Ormandy demonstrated that the website could then execute LastPass actions in the background without the user's knowledge, such as deleting items...(T)his issue has been fully addressed and an update with a fix was pushed for all Firefox users using LastPass 4.0."