Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

LastPass Notifies Users of OTP, Bookmarklet Vulnerabilities

Password Manager Vulnerabilities

The developers of the popular password manager LastPass informed users on Friday of security vulnerabilities reported to the company last year.

Password Manager Vulnerabilities

The developers of the popular password manager LastPass informed users on Friday of security vulnerabilities reported to the company last year.

The flaws, affecting bookmarklets and one-time passwords (OTP), were identified in August 2013 by University of California, Berkeley researchers Zhiwei Li, Warren He, Devdatta Akhawe and Dawn Song.

According to LastPass, the vulnerabilities were addressed shortly after being reported to the company by Zhiwei, but their existence was disclosed only now because the researchers have published a paper on security holes found in some of the most popular Web-based password managers.

Bookmarklets are pieces of JavaScript code that enable the users of password managers to log in to their accounts without having to install extensions. Bookmarklets, which are installed as bookmarks and are executed in the context of Web applications, are useful for mobile browsers that don’t support extensions.

The researchers discovered a way to extract the passwords stored by a user in the LastPass vault by getting the victim to click on the bookmarklet while visiting a specially crafted website.

LastPass says less than 1% of its user base actively uses bookmarklets and there’s no evidence that the vulnerability has been exploited in the wild. While the company doesn’t think it’s necessary, customers who have been using bookmarklets before September 2013 on websites they don’t trust can consider changing their master passwords and generating new passwords for their online accounts.

 The second vulnerability uncovered by experts is related to the OTPs that users utilize to prevent an attacker who might have obtained their master password from gaining access to their LastPass accounts. Experts found a cross-site request forgery (CSRF) flaw that could have been leveraged to obtain a targeted user’s encrypted password database.

 “Regarding the OTP attack, it is a ‘targeted attack’, requiring an attacker to know the user’s username to potentially exploit it, and serve that custom attack per user, activity which we have not seen. Even if this was exploited, the attacker would still not have the key to decrypt user data,” LastPass noted in a blog post.

Advertisement. Scroll to continue reading.

 

However, the researchers explained that an attacker could have leveraged the security hole to identify the websites on which a victim had an account and delete credentials from the password database, based only on their username. Furthermore, while attackers couldn’t have gained direct access to a password, they would have the encrypted password database available for “offline guessing,” the experts said.

 “Zhiwei only tested these exploits on dummy accounts at LastPass and we don’t have any evidence they were exploited by anyone beyond himself and his research team. The reported issues were addressed immediately, as confirmed by their team, and we let them publish their research before discussing it,” LastPass said.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.