A Note from LastPass

LastPass is in part able to achieve the highest level of security for our users by looking to our community to challenge our technology.

In August 2013, a security researcher at UC Berkeley, Zhiwei Li, contacted us to responsibly disclose novel vulnerabilities with the LastPass bookmarklets (actively used by less than 1% of the user base) and One Time Passwords (OTPs). Zhiwei discovered one issue that could be exploited if a LastPass user utilized the bookmarklet on an attacking site, and another issue if the LastPass user went to an attacking site while logged into LastPass, and used their username to potentially create a bogus OTP.

Zhiwei only tested these exploits on dummy accounts at LastPass and we don’t have any evidence they were exploited by anyone beyond himself and his research team. The reported issues were addressed immediately, as confirmed by their team, and we let them publish their research before discussing it.

If you are concerned that you’ve used bookmarklets before September 2013 on non-trustworthy sites, you may consider changing your master password and generating new passwords, though we don’t think it is necessary.

Regarding the OTP attack, it is a “targeted attack”, requiring an attacker to know the user’s username to potentially exploit it, and serve that custom attack per user, activity which we have not seen. Even if this was exploited, the attacker would still not have the key to decrypt user data. If you’d like to check your current OTPs you can do so here: https://lastpass.com/otp.php

We appreciate that, as the most popular password manager in the world, we have an active, dedicated community that challenges us to be better and is committed to helping us improve the security of our service. Again, we thank Zhiwei and his team for their important research.

Regards,
Joe & The LastPass Team

28 Comments

  • Anonymous says:

    http://askleo.com/is-lastpass-still-secure/

    “Rather than say nothing at all, LastPass chose to be open about the discovery. I don’t want panicked over-reaction to punish them for doing the right thing.”

  • Anonymous says:

    I’bve been a paying customer since LastPass offered a Premium option. I find these revelations disturbing. Even more disturbing is that this blog post seems focused on minimizing the significance — even the title “A Note from LastPass” seems designed to avoid raising concerns.

    I agree with other posters that LastPass needs to do more to reassure its customers regarding the security of the product, whether by opening up parts of the code, commissioning and publishing independent security assessments, and/or being more open about its internal security practices.

    In the meantime, I’m in the market for a new password manager.

    • Anonymous says:

      I’m not suggesting to treat this issue lightly… Just would like to point out that the other options out there may or may not be better… See arstechnica.com/security/2014/07/severe-password-manager-attacks-steal-digital-keys-and-data-en-masse for some issues uncovered in some other password managers.

    • Anonymous says:

      LastPass should definitely be more forthcoming, but your new password manager is going to be vulnerable too. All software is vulnerable, has bugs and security holes. The question has never been “do bugs exist” (they do), the question is, are they dealing with them as quickly as they can and responsibly disclosing? Yes, they are. Keep looking for unicorns if you like, but you’re going to keep on being disillusioned about broken software for the rest of your life, because everything is broken:
      https://medium.com/message/81e5f33a24e1

      And opening the source doesn’t guarantee anything, especially not security. Just look at Heartbleed, a basic mistake that had been hanging around for YEARS and nobody even noticed. Software security isn’t about perfection, it’s about risk mitigation.

  • Anonymous says:

    I am very worried about this.
    Last Pass is turning into a honey pot for hackers that want to steal money with the victim not even knowing it.
    Tighten up your security and get more involvement from your community.
    Proprietary software in a nutshell.

  • Anonymous says:

    Hello,

    I am a paying customer and I find this disquieting. I am not going to jump ship but your total value proposition (to me) is to prevent stuff like this from happening.

    I appreciate you blogging about this (but also realize you had no choice since the information was not yours to keep a lid on) but I would much rather hear about what you are doing to proactively prevent this from ever happening again (external code review, automatic code checkers, etc).

    Cheers,
    Rasmus

  • What exactly are bookmarklets? Lastpass says only a small amount of users use them – It’s not the bookmarks we save in our vaults or is it?

    • mxx says:

      See https://en.wikipedia.org/wiki/Bookmarklet
      In LastPass’ case these are special bookmarks created for platforms that don’t support full application/plug integration to automatically fill in your login info(such as iOS or browser where you don’t want to install lastpass plugin).

      It is not bookmarks you save in your vault.

  • Anonymous says:

    Does this mean users should remove any existing bookmarklets and install the latest versions from LastPass?

    • Anonymous says:

      JavaScript has so many vulnerabilities so this is no surprise.
      What is a surprise is that even though LP claims only 1% of users are using bookmarklets, they’re still available as what was until recently (at least for android) the only way to use LP without copying and pasting from the vault. iOS still requires bookmarklets and even if the 1% figure is correct! all it’d take is to click “add bookmarklets” since it automatically pastes the JavaScript to the clipboard!
      As for OTPs, the advice is “click this link to check your OTPs” like its a solution.
      I have one final gripe: LP says they have no evidence any accounts except for the dummy accounts from the study were effected. I sincerely doubt 1) they would know which accounts were effected and 2) any compromised accounts would be accessed in such a way hackers would draw attention to the fact (why wouldn’t the hacker quietly access a customer’s ENTIRE password details and keep evidence hidden so as to continue accessing the account for times when passwords change?)
      If a hacker has the key to your LP, they probably have your email info took so there’s absolutely nothing stopping a hacker getting the login email is there?
      Until I hear some sort of security audit by an independent third party has checked LP I’m done using it. It’s cost me nearly $400 in lost bitcoins due to their “we’re not effected by HeartBleed, whoops, we are effected” bull crap and I’m done risking all my info for a company so incompetent and reactive.

      LAST PASS, be proactive for once and fix the damned security bugs, not to mention functional bugs.

      This is a university nice enough to tell you of gaping security holes…. Without an audit I can’t trust you know with my life/privacy.

    • mxx says:

      Anonymous,

      You could not be more wrong about everything you said above!
      What you are doing is spreading FUD!

      Any vulnerability that javascript has are fixed faster than virtually any other platform!

      Problem that affected bookmarklets HAVE BEEN FIXED ALMOST A YEAR AGO! Obviously they are going to be available, because there’s nothing wrong with bookmarklets.

      Yes, it is a solution for OTP! You disable existing ones and generate new ones! It is a perfect solution to prevent leaked OTP!

      1)They know which accounts could have been affected because they have access logs from their servers and they know what pattern to search for.
      2)If you are worried you should expire all existing sessions and change your master password and any relevant affected passwords.

      If you know anything about security, one of the very things every says it to periodically change your password! Why aren’t you doing this?!

      What login email are you talking about about?! LastPass does not send out password reset emails!

      There have been security audit done before! Read my link posted above! LastPass is written in fucking javascript! Any halfassed money can read through it, compare what’s being sent over the wire to what’s being generated by your own javascript code and see that it’s identical!
      You did not lose $400 in bitcoins because of lastpass! You are a liar and a drama queen! gtfo!