Password management site LastPass has plugged a security hole in its website that created a means to extract the email addresses - though not the passwords - of enrolled users. The cross-site scripting bug meant that logged-in users induced to visit a malicious site would disclose their email addresses and sites associated with a LastPass account, along with password reminders and a list of IP addresses used to access the site.
The bug was discovered by independent security researcher Mike Cardwell, who was unable to exploit the flaw to extract passwords.
LastPass - which boasts close to a million members - stores website login details in an encrypted container, safeguarded by a master password. Users log in to extract this information either directly via the website or by using a browser extension.