Password manager LastPass has fixed two vulnerabilities that affected many of its app's browser extensions. But the company said there were no reports of hackers exploiting the vulnerabilities and that users don't need to change their stored passwords.
The vulnerabilities, which Google security researcher Tavis Ormandy discovered earlier this month, could have let malicious websites steal site credentials that users saved in their LastPass accounts. After luring users to a malicious site, an attacker could then access the LastPass APIs and run arbitrary code while appearing as a trusted party, LastPass explained.
One of the vulnerabilities affects the LastPass browser extension for an older version of the Firefox browser, while the other affects all versions of the LastPass extension for Edge, Chrome, and Firefox.
LastPass said it has updated its browser extension to remove the second bug, which it described in a blog post as an issue with an experimental "consumer onboarding feature." As of Wednesday afternoon, updates are live for the Firefox and Chrome browsers, while the Edge update is currently awaiting app store approval.
"We have no indication that any of the reported vulnerabilities were exploited in the wild, but we're doing a thorough review at this time to confirm," the company wrote in the blog post. For now, it says, no password changes are required.
Although the threat of attackers using malicious websites to trick users is nothing new, it is particularly worrisome for companies like LastPass, whose software is designed to store passwords and other credentials for numerous websites and services. The company said it is reviewing and strengthening its code review process for experimental features.