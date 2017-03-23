WHAT DO YOU CALL A PASSWORD VAULT THAT LEAKS OR STORES PASSWORDS? LastPass.

Okay, it is not a very funny joke. In fact, it is no joke at all. LastPass is supposed to look after people's passwords so when we heard that it is vulnerable to a remote code vulnerability that might make them as public as Kim Kardashian's arse, we sat up.

Good news is that LastPass raced to find a solution for a range of problems that Google bought to it, and told users via a blog.

The firm also thanked Tavis Ormandy, who is rapidly becoming a thorn in the side of any companies with weak underbellies. It appears that it took some time for the company to come to terms with all of the problems and that the fix up took around a week.

"Tavis Ormandy, a researcher at Google's Project Zero, reported vulnerabilities to our team over the past week that affected many LastPass browser extensions. The reported issues affected both personal and business users," it said in its 'Important Security Update'.

"To exploit the reported vulnerabilities, an attacker would first lure a user to a malicious website. Once on a malicious website, Tavis demonstrated how an attacker could make calls into LastPass APIs, or in some cases run arbitrary code, while appearing as a trusted party.

"Doing so would allow the attacker to potentially retrieve and expose information from the LastPass account, such as user's login credentials."

Bloody Tavis gets everywhere, and LastPass says that he both helped and hindered the process of patching.

"Upon notification of the vulnerability, the LastPass team immediately shut down the vulnerable service, and began work to update all affected clients," it added.

"While working on our client-side fix, Tavis tweeted (since deleted) about an additional issue. To clarify, this was the same issue across two distinct browsers. This caused some confusion around volume of issues and status of fixes."

I deleted a widely shared tweet id written "unpatched" in, because its now patched; was confusing w/o context. Lack of foresight on my part. — Tavis Ormandy (@taviso) March 22, 2017

However, lessons have been learned that LastPass will benefit from. The firm says that it will be changing the way that it does things and that it is grateful for what Mr Ormandy and team have done.

"To prevent these issues in the future, we are reviewing and strengthening our code review and security processes in place today, particularly around new and experimental features," it explained.

"It goes without saying that security is fundamental to what we do. We strive for transparency in responding to these issues. We greatly value the work that Tavis, Project Zero, and other white-hat researchers provide. We all benefit when this security model works for responsibly disclosing bugs, and are confident LastPass is stronger for the attention. We welcome contributions from all researchers via our bug bounty program at Bug Crowd".

Users are told to update to the very latest version of its software. µ