14 Jul 2014

Two Vulnerabilities in LastPass Fixed and Disclosed; Study Shows

Two vulnerabilities in the popular password manager service LastPass have been fixed and disclosed, according to ITWorld. Both were discovered last year in August and were immediately addressed.

Bookmarklets were at the center of both vulnerabilities, used for filling out password data.

“Zhiwei (the researcher) discovered one issue that could be exploited if a LastPass user utilized the bookmarklet on an attacking site, and another issue if the LastPass user went to an attacking site while logged into LastPass, and used their username to potentially create a bogus OTP," LastPass wrote in a blog.

A cyber-criminal would need to know a persons username to engage in an OTP attack.

LastPass concluded that "even if this was exploited, the attacker would still not have the key to decrypt user data."

The LastPass vulnerability disclosure is part of a larger study on password manager services that advises of their vulnerabilities and weak points.