LastPass Acknowledges Two Security Flaws


LastPass recently patched a pair of security flaws in its password management solution.

UC Berkeley security researcher Zhiwei Li contacted LastPass in August of 2013 to alert the company to two vulnerabilities related to LastPass bookmarklets and One Time Passwords (OTPs). One issue could be exploited if a LastPass user used a bookmarklet on a malicious website, and the other could be exploited if a user visited a malicious site while logged into LastPass and used their user name to create a bogus OTP.

"Zhiwei only tested these exploits on dummy accounts at LastPass, and we don't have any evidence they were exploited by anyone beyond himself and his research team," the company stated in a blog post. "The reported issues were addressed immediately, as confirmed by their team, and we let them publish their research before discussing it."

The company says LastPass users who used bookmarklets prior to September 2013 on non-trustworthy sites may consider changing their master password and generating new passwords, "though we don't think it is necessary."

The OTP attack, LastPass notes, requires that the attacker know the victim's username and target the attack to that particular user -- and even if the attack was successful, the user data would still be encrypted. LastPass users who would like to check their current OTPs, however, can do so here.

This isn't the first such incident for LastPass -- in February of 2011, a security researcher uncovered a cross site scripting flaw in the LastPass website; in May of 2011, the company advised all users to change their master passwords following a possible data breach; and in August of 2013, the company acknowledged that a vulnerability in its add-on for Internet Explorer may have made passwords accessible in a memory dump.

In a paper [PDF] detailing their recent findings, Li and fellow UC Berkeley researchers Warren He, Devdatta Akhawe and Dawn Song described the vulnerabilities they uncovered in LastPass, as well as in competing password managers RoboForm, my1login and PasswordBox.

While password managers "promise tremendous security and usability benefits at minimal deployability costs," the researchers noted, widespread adoption of insecure passwords managers could actually do the opposite, adding a single point of failure to the Web authentication system.

"Our work is a wake-up call for developers of web-based password managers," the researchers wrote. "The wide spectrum of discovered vulnerabilities, however, makes a single solution unlikely. Instead, we believe developing a secure Web-based password manager entails a systematic, defense-in-depth approach."

eSecurity Planet recently examined a range of different solutions for ensuring secure passwords, including password policy enforcement tools, enterprise password managers and cloud-based single sign-on services.