Good question! I also ask myself the same question because it worries me too!
Do you have any plans to protect LastPass from these attacks?
The nature of this should not be just marked INFORMATIVE, we need to know what settings we should change at the least to help protect us paying LastPass users. Too much is riding on this. Hopefully it is fixed completely, but in the meantime, what should we do? I'm assuming turning off auto-fill, is there other settings that we should be doing?
That's what I came here to find out. When will LastPass fix this vulnerability? I don't feel my data is safe.
WE NEED AN ANSWER TO THIS ASAP
Totally agree, we need an answer about this ! I am not confident on the vulnerability management by Lastpass and this caes is a good exemple
Came looking for an answer. I'd expect more than informative considering the product is 0, 1, or 2 clicks away from compromising your customers information.
Escalate and let customers know what's going on.
I had also asked this of LastPass support. Here is their reply (followed by my comments):
*****
At LastPass, we recognize and deeply appreciate the work of security researchers like Marek Tóth, whose efforts help uncover vulnerabilities, raise awareness about emerging threats, and ultimately drive the entire industry forward.
Marek’s recent discovery of a clickjacking vulnerability highlights a broader challenge that all password managers face: how to balance user experience and convenience with the need to stay ahead of evolving threat models. It’s a delicate equation—and one we’re constantly working to refine.
To address this specific issue, LastPass has implemented several safeguards, including a pop-up notification that appears before auto-filling credit card and personal information across all websites. These measures are part of our ongoing commitment to protect users without compromising the seamless experience they expect.
Our Threat Intelligence, Mitigation, and Escalation (TIME) team continues to monitor the landscape closely and encourages all password manager users to remain vigilant. That means avoiding suspicious overlays or pop-ups and keeping your LastPass extensions up to date.
Security is a shared responsibility—and we’re grateful to researchers like Marek who help make the digital world safer for everyone.
It's all true, but it doesn't help much.
Tóth made recommendations about how webpages (which, I guess? .. includes LastPass' code running in the context of a page in a browser) could attempt to detect and defend against these attacks, such as monitoring for anything trying to display with (near-)zero opacity.
I opened a LastPass support case about this question. All I got back was the same empty (as in, doesn't actually tell us what they're doing, only tells us that we users share some responsibility, and that it's a hard problem). I fed back to them that LastPass is in a far better position to use its technology to detect environments within which the LastPass browser extension finds itself functioning which could be considered suspicious (a bit like Microsoft Entra ID's Conditional Access) and take more protective steps under the circumstances. All they replied with was:
"Thank you for that great insight. We are taking everything into consideration and your security is our top priority."
.. and this sticky thread:
https://support.lastpass.com/s/question/0D5TP00000gjc4D0AQ/clickjacking-and-lastpass-what-you-need-to-know
.. which states that they WILL be adding code to detect zero opacity in a forthcoming update to the LastPass browser extenion.
That's the only mitigation they describe that they're working on at the moment.
"We're doing something. About some of it."
That's good. As far as it goes. It's not at all enough.
We know, this is hard. Virtually impossible.
We're not asking LastPass for perfection, just transparency and faster response.
What are the remaining threat vectors exposed by Tóth's recent research?
How is LastPass addressing each?
Hello, and thank you for your concerns.
We take this and all threats very seriously. We listen to our customer feedback and are actively monitoring all discussions on this topic and are making additional updates to protect your security.
A new background security rule is in flight and will be included in an upcoming browser extension release that is expected in the next version 4.146.6 by August 29th. This enhancement detects the most common clickjacking tactic which employs highjack elements hidden with ‘0 opacity’ and will block autofilling when detected on a website. Note, not all variants of clickjacking attacks rely on opacity, so we’re continuing to evaluate broader protections as well.
