Computer crime and passwords
The flaw may allow cybercriminals to remotely access user accounts, according to Tavis Ormandy iStock

A Google Project Zero hacker is claiming to have uncovered critical zero-day security vulnerability in LastPass that can potentially give cybercriminals the ability to remotely access user accounts.

LastPass is a popular password manager that stores credentials to auto-fill login processes every time users attempt to access their accounts. On its website, it stresses that security is paramount – using AES-256 bit encryption to "ensure complete security in the cloud."

However, security researcher Tavis Ormandy has taken to Twitter to claim that, upon inspection, the software has "obvious critical problems." In an update on 26 July, he wrote: "Full report sent to LastPass, they're working on it now. Yes, it's a complete remote compromise."

Zero-day flaws are previously unknown security vulnerabilities that can be easily exploited by hackers under-the-radar.

This will be of obvious concern to any users relying on LastPass to store their credentials securely. According to a report on The Register, Ormandy said that "millions of users" may now be vulnerable to compromise just by visiting a malicious website until an official patch is released.

At the time of writing, no technical details of the security flaws have been released by either LastPass or the Google Project Zero bug hunter. However, with the flaw responsibly disclosed, this is now expected to be on the horizon.

LastPass told IBTimes UK via email: "As always, we appreciate the work of the security community to challenge our product and ensure we deliver a secure service for our users. Our team worked directly with the security researchers to verify the reports made and worked quickly to issue a fix for LastPass users. To apply the fixes, we recommend that users update LastPass on their browsers."

When asked for clarification if this was in reference to the flaws reported by Ormandy, a spokesperson said: "Correct." The firm added that updates will soon be published to its blog, which can be viewed here.

This is not the first time LastPass has suffered security issues. In June last year, the service was targeted by hackers and sensitive user data including email addresses, password remainders and authentication hashes – encrypted account permissions – were compromised. It maintained that no master passwords were lost in the attack.

"Security is an ongoing back-and-forth," said Joe Siegrist, LastPass chief executive, at the time. "We make advancements, and the bad guys do, too. The work is never done here at LastPass. It's constantly evolving, so it's important to stay ahead of the game."

Now, Ormandy – who has previously uncovered security bugs in popular anti-virus software from major firms like Symantec, Sophos and Trend Micro. On his Twitter account while disclosing the purported LastPass flaw, he indicated he would soon be turning his attention to another popular password manager - 1Password.

IBTimes UK contacted Ormandy however had received no response at the time of publication. This article was updated to add comment from LastPass.