LastPass, the online service that keeps your passwords safe behind one master password, is currently not nearly as secure as it should be.
According to Google's vulnerability researcher Tavis Ormandy, there's at least one unpatched vulnerability in LastPass that allows attackers to steal passwords "from any domain."
SEE ALSO:Change this security setting on WhatsApp right now
Ormandy recently reported a few other LastPass bugs, including vulnerabilities in the LastPass add-ons for Firefox and Chrome.
I found another bug in LastPass 4.1.35 (unpatched), allows stealing passwords for any domain. Full report will be on the way shortly. pic.twitter.com/9VkV7R3vud
— Tavis Ormandy (@taviso) March 21, 2017
One security vulnerability, described in detail by Ormandy here, not only allows for an attacker to steal passwords, but -- in certain circumstances -- it can also be used to run arbitrary code on the victim's computer.
Mashable Light SpeedWant more out-of-this world tech, space and science stories?Sign up for Mashable's weekly Light Speed newsletter.By signing up you agree to our Terms of Use and Privacy Policy.Thanks for signing up!
On Tuesday, LastPass announced that that particular issue has been resolved, but on Wednesday, the company acknowledged that there is an unpatched bug in its Firefox add-on.
The issue reported by Tavis Ormandy has been resolved. We will provide additional details on our blog soon.
— LastPass (@LastPass) March 21, 2017
We are aware of reports of a Firefox add-on vulnerability. Our security is investigating and working on issuing a fix.
— LastPass (@LastPass) March 22, 2017
Replying to a commenter to Tuesday's tweet, LastPass said that users needn't do anything at this point. However, the company still hasn't published anything on its official blog regarding these new security holes.
While no software is safe from security holes, vulnerabilities that affect password managers such as LastPass are particularly worrisome, as these services safeguard users' entire password collections. Especially when they come in droves, as they do these days.
This is not the first serious security issue LastPass has encountered. The service got hacked in 2011 and again in June 2015. And in 2013, a bug caused some users' Internet Explorer passwords to get exposed to the public.
UPDATE: March 22, 2017, 6:52 p.m. CET LastPass responded to our query by pointing us to their freshly published blog post, here. In the post, the company says it has worked with Ormandy to investigate and fix these vulnerabilities. The company claims it has fixed all issues now, and patches will be applied automatically for most users. According to LastPass, there is no indication that any of these vulnerabilities were exploited in the wild. The company vowed to provide a more comprehensive overview of these vulnerabilities, as well as its efforts to fix them and prevent further issues, in the future.
Featured Video For YouThis automatic smart lock is both convenient and secure