Security Experts:

LastPass Notifies Users of OTP, Bookmarklet Vulnerabilities

Password Manager Vulnerabilities

The developers of the popular password manager LastPass informed users on Friday of security vulnerabilities reported to the company last year.

The flaws, affecting bookmarklets and one-time passwords (OTP), were identified in August 2013 by University of California, Berkeley researchers Zhiwei Li, Warren He, Devdatta Akhawe and Dawn Song.

According to LastPass, the vulnerabilities were addressed shortly after being reported to the company by Zhiwei, but their existence was disclosed only now because the researchers have published a paper on security holes found in some of the most popular Web-based password managers.

Bookmarklets are pieces of JavaScript code that enable the users of password managers to log in to their accounts without having to install extensions. Bookmarklets, which are installed as bookmarks and are executed in the context of Web applications, are useful for mobile browsers that don't support extensions.

The researchers discovered a way to extract the passwords stored by a user in the LastPass vault by getting the victim to click on the bookmarklet while visiting a specially crafted website.

LastPass says less than 1% of its user base actively uses bookmarklets and there's no evidence that the vulnerability has been exploited in the wild. While the company doesn't think it's necessary, customers who have been using bookmarklets before September 2013 on websites they don't trust can consider changing their master passwords and generating new passwords for their online accounts.

 The second vulnerability uncovered by experts is related to the OTPs that users utilize to prevent an attacker who might have obtained their master password from gaining access to their LastPass accounts. Experts found a cross-site request forgery (CSRF) flaw that could have been leveraged to obtain a targeted user's encrypted password database.

 "Regarding the OTP attack, it is a 'targeted attack', requiring an attacker to know the user’s username to potentially exploit it, and serve that custom attack per user, activity which we have not seen. Even if this was exploited, the attacker would still not have the key to decrypt user data," LastPass noted in a blog post.


However, the researchers explained that an attacker could have leveraged the security hole to identify the websites on which a victim had an account and delete credentials from the password database, based only on their username. Furthermore, while attackers couldn't have gained direct access to a password, they would have the encrypted password database available for "offline guessing," the experts said.

 "Zhiwei only tested these exploits on dummy accounts at LastPass and we don't have any evidence they were exploited by anyone beyond himself and his research team. The reported issues were addressed immediately, as confirmed by their team, and we let them publish their research before discussing it," LastPass said.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.