LastPass Finds Security Holes In Its Online Password Manager, Doesn’t Think Anyone Exploited Them


When you’re in charge of keeping many hundreds of thousands of passwords under lock and key, trust is everything. Maintaining that trust means fessing up when things go wrong — even if it’s something you don’t think affected your users.

Such is the case today for LastPass, a popular password manager for Safari, Chrome, Firefox and Opera. They’ve just published details of two security exploits discovered lurking in their products, though they say they don’t believe the exploits were ever used maliciously.

You can read their full post here, but here’s the gist of it:

  • The first bug is tucked into their less-used bookmarklet offering, not the more popular LastPass plugin. LastPass says “less than 1%” of its userbase uses these bookmarklets.
  • With this first exploit, if a user clicked on their bookmarklet while on a site specifically built with this hack in mind, LastPass could be coaxed into coughing up the user’s credentials for others sites, like Dropbox, Gmail, etc.
  • A second bug involves LastPass’ “One Time Password” feature. This feature lets a user log in to LastPass with a self-destructing password that only works once. It’s useful in cases where you don’t necessarily trust the computer you’re using to not have a keylogger — like, say, a public library.
  • The One-Time-Password bug is strictly targeted, requiring the attacker to know the potential victim’s LastPass username prior to the attack. They don’t believe it could target LastPass users blindly.
  • According to the researchers, the second bug could actually be used for three different nasty purposes: obtaining a list of all sites the user is storing passwords for, obtaining an encrypted copy of a user’s password database, or blindly deleting credentials stored in a user’s password database.
  • The bugs were discovered in August 2013 by a researcher at UC Berkeley, and fixed immediately.

So why’d they wait a year? As LastPass fixed the bugs quickly and had no evidence the bugs were ever exploited maliciously, it says they opted to let the research team publish their research on their own schedule. If you’re interested in getting into the technical details of either exploit, this appears to be the research paper in question.

As for what you LastPass recommends their users do:

If you are concerned that you’ve used bookmarklets before September 2013 on non-trustworthy sites, you may consider changing your master password and generating new passwords, though we don’t think it is necessary.

Regarding the OTP attack, it is a “targeted attack”, requiring an attacker to know the user’s username to potentially exploit it, and serve that custom attack per user, activity which we have not seen.

In 2011, LastPass publicly disclosed a “traffic anomaly” on their server that they couldn’t account for. Though there was no evidence that user data had been exposed, they opted “to be paranoid and assume the worst” and told many users to reset their passwords.