By 
Last week, Password manager LastPass issued an update to correct a security bug that was revealed last month by Tavis Ormandy, a security researcher.
Considered the most popular password manager app today, LastPass rectified the reported issue in version 4.33.0, released on September 12.
If users have not allowed an auto-update device for their LastPass browser extensions or mobile apps, they’re directed to do a manual update at the earliest.
This is because yesterday, Ormandy published details about the security fault he found. The security expert’s bug report walks an attacker through the steps essential to copy the bug.
Since the bug depends on performing malicious JavaScript code alone, with no other user communication, the bug is considered hazardous and possibly utilizable.
Attackers could bait users on malicious pages and misuse the susceptibility to extract the identifications entered on previously-visited sites. According to Ormandy, this is not as difficult as it sounds, as an attacker could simply masquerade a malicious link behind a Google Translate URL, trick users into visiting the link, and then extract credentials from a previously visited site.
“I think it’s fair to call this ‘High’ severity, even if it won’t work for *all* URLs,” Ormandy said.
Since the susceptibility was exposed and then privately reported by Google, there’s no reason to believe the bug has been exploited in the wild.
