Security Experts:

Connect with us

Hi, what are you looking for?


Identity & Access

LastPass Notifies Users of OTP, Bookmarklet Vulnerabilities

Password Manager Vulnerabilities

The developers of the popular password manager LastPass informed users on Friday of security vulnerabilities reported to the company last year.

Password Manager Vulnerabilities

The developers of the popular password manager LastPass informed users on Friday of security vulnerabilities reported to the company last year.

The flaws, affecting bookmarklets and one-time passwords (OTP), were identified in August 2013 by University of California, Berkeley researchers Zhiwei Li, Warren He, Devdatta Akhawe and Dawn Song.

According to LastPass, the vulnerabilities were addressed shortly after being reported to the company by Zhiwei, but their existence was disclosed only now because the researchers have published a paper on security holes found in some of the most popular Web-based password managers.

Bookmarklets are pieces of JavaScript code that enable the users of password managers to log in to their accounts without having to install extensions. Bookmarklets, which are installed as bookmarks and are executed in the context of Web applications, are useful for mobile browsers that don’t support extensions.

The researchers discovered a way to extract the passwords stored by a user in the LastPass vault by getting the victim to click on the bookmarklet while visiting a specially crafted website.

LastPass says less than 1% of its user base actively uses bookmarklets and there’s no evidence that the vulnerability has been exploited in the wild. While the company doesn’t think it’s necessary, customers who have been using bookmarklets before September 2013 on websites they don’t trust can consider changing their master passwords and generating new passwords for their online accounts.

 The second vulnerability uncovered by experts is related to the OTPs that users utilize to prevent an attacker who might have obtained their master password from gaining access to their LastPass accounts. Experts found a cross-site request forgery (CSRF) flaw that could have been leveraged to obtain a targeted user’s encrypted password database.

 “Regarding the OTP attack, it is a ‘targeted attack’, requiring an attacker to know the user’s username to potentially exploit it, and serve that custom attack per user, activity which we have not seen. Even if this was exploited, the attacker would still not have the key to decrypt user data,” LastPass noted in a blog post.


However, the researchers explained that an attacker could have leveraged the security hole to identify the websites on which a victim had an account and delete credentials from the password database, based only on their username. Furthermore, while attackers couldn’t have gained direct access to a password, they would have the encrypted password database available for “offline guessing,” the experts said.

 “Zhiwei only tested these exploits on dummy accounts at LastPass and we don’t have any evidence they were exploited by anyone beyond himself and his research team. The reported issues were addressed immediately, as confirmed by their team, and we let them publish their research before discussing it,” LastPass said.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.