LastPass goes public over security vulnerabilties

July 14, 2014 // 10:37 a.m.

Tags: #encryption #insecurity #lastpass #password-manager #security #vulnerabilities #vulnerability #zhiwei-li

Cloud-powered password management service LastPass has spoken publicly about a pair of security flaws reported in August 2013 for the first time, but says that users have nothing to fear from the bugs.

LastPass is a popular cross-platform password management service, which stores users' usernames, passwords and other private details on remote servers. These details are reversibly encrypted using a master password, meaning that LastPass users need only remember a single password while having the ability to use a unique and complex password for every site and service they use.

It's a handy way of dealing with the issues surrounding secure passwords, but one that introduces a single point of failure: if an attacker gains access to the target's LastPass account, the attacker automatically gains access to every single site stored within the database - unless, of course, two-factor authentication is being used. That makes security vulnerabilities in the service a serious concern, and LastPass has confirmed that two such vulnerabilities were reported to the company in August last year.

The vulnerabilities were spotted by Zhiwei Li, a security researcher at the University of California at Berkeley, who notified the site and agreed to keep his discoveries a secret until the flaws could be patched. The first issue was a vulnerability in the LastPass bookmarklet system, which offers LastPass functionality in browsers for which there is no native plug-in, that could grant access to the LastPass account; the second, a vulnerability that could allow an attacking site to force the generation of an insecure one-time password through the same bookmarklet.

According to LastPass, the vulnerabilities were not as severe as they sound - they could only function in targeted attacks where the attacker already knows the target's LastPass username - and were resolved in September 2013. Now, Li is going public with a report on his discoveries - hence the new announcement from LastPass - but the company claims its users should be entirely secure. 'If you are concerned that you’ve used bookmarklets before September 2013 on non-trustworthy sites, you may consider changing your master password and generating new passwords,' the company confirmed in its statement, 'though we don’t think it is necessary.'