LastPass tells users about two security flaws - a year after they were fixed

Researcher found issues in program components

LastPass fixed two software flaws in its popular password manager nearly a year ago after being informed of their existence by a researcher, the firm has admitted.

The firm used a blog to reveal the issues in the LastPass bookmarklets (an alternative to the plugin used by 99 percent of users), and the One Time Passwords (OTPs), which allows login using a once-only password.

Discovered by Zhiwei Li of UC Berkeley, the bookmarklet flaw could have caused a compromise had the user visited a site designed to exploit the issue while to make use of the OTP vulnerability as attacker would have had to know a user's LastPass user name, the firm said. A more detailed explanation of the issues can be found in the co-authored paper.

"Zhiwei only tested these exploits on dummy accounts at LastPass and we don't have any evidence they were exploited by anyone beyond himself and his research team," LastPass wrote.

"The reported issues were addressed immediately, as confirmed by their team, and we let them publish their research before discussing it."

These aren't on the face of it major issues for LastPass because neither was exploited and both were fixed. However, there will be questions over the length of time it has taken to inform the world of their existence which has happened in advance of a presentation on the topic at a forthcoming security conference.

"We appreciate that, as the most popular password manager in the world, we have an active, dedicated community that challenges us to be better and is committed to helping us improve the security of our service. Again, we thank Zhiwei and his team for their important research," said LastPass.

LastPass's last significant security worry was probably the 2011 'hack' which led to the firm requesting its users reset their master password as a precaution. Although described as a minor issue the extent of the compromise that sparked the warning was never made clear.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags Personal TechLastPass

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by John E Dunn

Latest Videos

More videos

Blog Posts