LastPass has confirmed it has patched vulnerabilities in its “bookmarklets” which were exploitable.
In a blog, it confirmed that security researcher Zhiwei Li revealed “novel” vulnerabilities within the LastPass bookmarklets and One Time Passwords (OTPs). “Zhiwei discovered one issue that could be exploited if a LastPass user utilised the bookmarklet on an attacking site, and another issue if the LastPass user went to an attacking site while logged into LastPass, and used their username to potentially create a bogus OTP,” it said.
While the exploits were only tested on dummy accounts at LastPass, it said that it did not have any evidence that they were exploited by anyone beyond himself and his research team. “The reported issues were addressed immediately, as confirmed by their team, and we let them publish their research before discussing it,” it said.
It recommended users change their master password and generate new passwords if they had used bookmarklets before September 2013 on non-trustworthy sites, though it did not think that it was necessary.
For the OTP attack, this would require an attacker to know the user’s username to potentially exploit it, and serve that custom attack per user, which is said was targeted activity “which we have not seen”.
It said: “We appreciate that, as the most popular password manager in the world, we have an active, dedicated community that challenges us to be better and is committed to helping us improve the security of our service. Again, we thank Zhiwei and his team for their important research.”
Speaking to IT Security Guru, Jason Steer, director of technology strategy at FireEye, said that as the self-declared number one password management solution, it was interesting that they went public with this. “Like eBay, it was not about encrypted information and there is no detail on how it was encrypted or hashed,” he said. “Once something is put online, there is a risk that data sits unencrypted and if it gets into the data centre then an attacker can exploit the gap.”
Steer also made the point that the bookmarklets are just Javascript, and that is used everywhere on the internet these days.