I’m a big fan of browser-based password managers such as Dashlane and LastPass. But these solutions aren’t perfect as we recently discovered. Earlier this week, LastPass users got a shock when Google Security Team researcher Tavis Ormandy discovered a critical flaw affecting LastPass 4.0 users on Firefox. The security hole allowed for remote (and complete) compromise of a victim’s account after luring them to a malicious website.
LastPass quickly fixed the security issue, and if you’re on the updated Firefox extension your account should be safe from this exploit. Here’s how to verify that you’re protected.
Manual updates for add-ons
Open Firefox (these instructions are based on Firefox 47), type about:addons into the address bar, and hit Enter on your keyboard. Next, click on Extensions in the left-hand navigation bar, navigate to the LastPass entry, and click the More link in that section.
You should now be on a page that looks similar to what you see above. First, look at the top. If it says LastPass 3.3.1 then look no further. You’re not affected by the exploit. If it says LastPass 4.0, however, you can check to make sure you are on the latest version of the add-on.
Click on the settings cog in the upper right-hand corner and select Check for Updates. This will check for updates for all your Firefox add-ons. If updates are found they will be downloaded, if not then you already have the latest versions of your browser enhancements.
You can double-check this by clicking on the settings cog again and selecting View Recent Updates. If LastPass was recently updated it will be listed here.
One last time, click the settings cog and make sure there is a check mark next to Update Add-ons Automatically. There should be one by default, but if not, selecting this setting will make sure your add-ons are always updated to their latest versions.
Thinking twice about password managers
It’s always tempting when a serious security issue pops up to swear off the software forever. Security flaws suck, but using these tools is a far better option than inventing and remembering passwords on your own. That inevitably leads to password reuse across multiple sites, which can set you up for far worse problems than a security flaw that was patched quickly.
You should also be sure to enable two-factor authentication with your LastPass account. It’s not clear if that would’ve helped in this case, but in general it’s a good security practice that makes it much harder for an attacker to take control of your account.