Although most security consultants will agree that password managers should be as common as anti-virus software, there are many to choose from and different ways to configure them. The most recent serious vulnerability found in LastPass could lead us to conclude that storing the master password vault in the cloud may not be as secure as it is convenient.
Google Project Zero researcher Tavis Ormandy has identified yet another serious vulnerability in the LastPass browser extension. The developers of the password manager are aware of the flaw and are working on a patch. Since the vulnerability has not been fixed, only few details have been made public by Ormandy and LastPass. The researcher said the security hole affects the latest version of the app, and the exploit he developed should work on all web browsers. Similar to a previously found weakness, this vulnerability can be exploited to steal a user’s passwords and, if the LastPass binary component is enabled, execute arbitrary code.