LastPass, the popular password manager for most of the top Web browsers, has fixed a couple of vulnerabilities that could have allowed an attacker to target users and generate his own one-time passwords for the victim’s account.
The company said that its security team hasn’t seen any active attacks exploiting these vulnerabilities and doesn’t think that customers need to change their master passwords or generate new one-time passwords for their various accounts. The attack scenarios aren’t complex, but LastPass officials said that one of the vulnerabilities only affects its bookmarklet product, which only a tiny percentage of its customers use.
“In August 2013, a security researcher at UC Berkeley, Zhiwei Li, contacted us to responsibly disclose novel vulnerabilities with the LastPass bookmarklets (actively used by less than 1% of the user base) and One Time Passwords (OTPs). Zhiwei discovered one issue that could be exploited if a LastPass user utilized the bookmarklet on an attacking site, and another issue if the LastPass user went to an attacking site while logged into LastPass, and used their username to potentially create a bogus OTP,” LastPass officials said in a blog post about the vulnerabilities.
The LastPass service enables users to generate one-time passwords for various sites after setting up an account with a master password. This enables users to forget about creating site-specific passwords for each site and also increases the security of their interactions with the sites. However, an attacker who could somehow get control of a user’s master password would still have the ability to access the victim’s other accounts on various sites.
But, despite the presence of the vulnerabilities for a period of time, LastPass officials say that customers don’t necessarily need to take any actions.
“If you are concerned that you’ve used bookmarklets before September 2013 on non-trustworthy sites, you may consider changing your master password and generating new passwords, though we don’t think it is necessary,” the post says.
“Regarding the OTP attack, it is a ‘targeted attack’, requiring an attacker to know the user’s username to potentially exploit it, and serve that custom attack per user, activity which we have not seen. Even if this was exploited, the attacker would still not have the key to decrypt user data.”
LastPass is an obvious target for attackers, given the value of the service it provides to users and the data it stores. In 2011, the company suffered a breach and asked all of its customers to change their passwords.