14 Jul 2014
Bookmarklets were at the center of both vulnerabilities, used for filling out password data.
“Zhiwei (the researcher) discovered one issue that could be exploited if a LastPass user utilized the bookmarklet on an attacking site, and another issue if the LastPass user went to an attacking site while logged into LastPass, and used their username to potentially create a bogus OTP," LastPass wrote in a blog.
A cyber-criminal would need to know a person’s username to engage in an OTP attack.
LastPass concluded that "even if this was exploited, the attacker would still not have the key to decrypt user data."