Security Experts:

Connect with us

Hi, what are you looking for?


Identity & Access

LastPass Notifies Users of OTP, Bookmarklet Vulnerabilities

Password Manager Vulnerabilities

The developers of the popular password manager LastPass informed users on Friday of security vulnerabilities reported to the company last year.

Password Manager Vulnerabilities

The developers of the popular password manager LastPass informed users on Friday of security vulnerabilities reported to the company last year.

The flaws, affecting bookmarklets and one-time passwords (OTP), were identified in August 2013 by University of California, Berkeley researchers Zhiwei Li, Warren He, Devdatta Akhawe and Dawn Song.

According to LastPass, the vulnerabilities were addressed shortly after being reported to the company by Zhiwei, but their existence was disclosed only now because the researchers have published a paper on security holes found in some of the most popular Web-based password managers.

Bookmarklets are pieces of JavaScript code that enable the users of password managers to log in to their accounts without having to install extensions. Bookmarklets, which are installed as bookmarks and are executed in the context of Web applications, are useful for mobile browsers that don’t support extensions.

The researchers discovered a way to extract the passwords stored by a user in the LastPass vault by getting the victim to click on the bookmarklet while visiting a specially crafted website.

LastPass says less than 1% of its user base actively uses bookmarklets and there’s no evidence that the vulnerability has been exploited in the wild. While the company doesn’t think it’s necessary, customers who have been using bookmarklets before September 2013 on websites they don’t trust can consider changing their master passwords and generating new passwords for their online accounts.

 The second vulnerability uncovered by experts is related to the OTPs that users utilize to prevent an attacker who might have obtained their master password from gaining access to their LastPass accounts. Experts found a cross-site request forgery (CSRF) flaw that could have been leveraged to obtain a targeted user’s encrypted password database.

 “Regarding the OTP attack, it is a ‘targeted attack’, requiring an attacker to know the user’s username to potentially exploit it, and serve that custom attack per user, activity which we have not seen. Even if this was exploited, the attacker would still not have the key to decrypt user data,” LastPass noted in a blog post.


However, the researchers explained that an attacker could have leveraged the security hole to identify the websites on which a victim had an account and delete credentials from the password database, based only on their username. Furthermore, while attackers couldn’t have gained direct access to a password, they would have the encrypted password database available for “offline guessing,” the experts said.

 “Zhiwei only tested these exploits on dummy accounts at LastPass and we don’t have any evidence they were exploited by anyone beyond himself and his research team. The reported issues were addressed immediately, as confirmed by their team, and we let them publish their research before discussing it,” LastPass said.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.