A Note from LastPass

LastPass is in part able to achieve the highest level of security for our users by looking to our community to challenge our technology.

In August 2013, a security researcher at UC Berkeley, Zhiwei Li, contacted us to responsibly disclose novel vulnerabilities with the LastPass bookmarklets (actively used by less than 1% of the user base) and One Time Passwords (OTPs). Zhiwei discovered one issue that could be exploited if a LastPass user utilized the bookmarklet on an attacking site, and another issue if the LastPass user went to an attacking site while logged into LastPass, and used their username to potentially create a bogus OTP.

Zhiwei only tested these exploits on dummy accounts at LastPass and we don’t have any evidence they were exploited by anyone beyond himself and his research team. The reported issues were addressed immediately, as confirmed by their team, and we let them publish their research before discussing it.

If you are concerned that you’ve used bookmarklets before September 2013 on non-trustworthy sites, you may consider changing your master password and generating new passwords, though we don’t think it is necessary.

Regarding the OTP attack, it is a “targeted attack”, requiring an attacker to know the user’s username to potentially exploit it, and serve that custom attack per user, activity which we have not seen. Even if this was exploited, the attacker would still not have the key to decrypt user data. If you’d like to check your current OTPs you can do so here: https://lastpass.com/otp.php

We appreciate that, as the most popular password manager in the world, we have an active, dedicated community that challenges us to be better and is committed to helping us improve the security of our service. Again, we thank Zhiwei and his team for their important research.

Joe & The LastPass Team


  • Patsy says:

    Good Lord how I hate this thing!!!!! I followed the instructions. It said it imported everything and I could delete it. I did. I have no passwords and the reason for signing up for this is I lost my password book. But Chrome remembered most of them. Now they are gone. I couldn’t even get to my e-mail. But it says it will automatically enter any site I use, so I set out to set passwords one by one and does it save a single ONE. No it does not. All it does is ask me to sign in to my vault. I must have entered that password 20 times in the past hour. Life was much better without it and I should have started a new book. Today would not be a good day to see the person who suggested this disaster. Maybe better instructions for those of us who are not techs.

    • Amber Gott says:

      Hi Patsy: We’re sorry to hear of the trouble with LastPass. It sounds like it’s either not installed in the browser or you’re not logged in with your account. Are you able to click the LastPass * button in the browser toolbar to login, then try going to your sites? If problems continue please get in touch with our team here: https://lastpass.com/supportticket.php – we’re happy to help.

  • Anonymous says:

    Actually, one of the attacks published would have allowed a malicious or compromised website to decrypt your passwords for any and all sites stored in LastPass (http://devd.me/papers/pwdmgr-usenix14.pdf). Publishing misinformation about the severity of the vulnerability is an example of exactly the lack of transparency I find disturbing.

    In the spirit of constructive criticism: LastPass’ value proposition is compelling if it is more convenient AND less risky than managing passwords in other ways. You should be asking yourselves, “How can we better mitigate risks, and how can we make a realistic, trustable risk assessment available to our users.” I still believe it is less risky than a policy of using the same password on all websites, for example, but you aren’t making it easy for me to justify that.

    As a customer, I have to choose to trust statements like “we work closely with independent security researchers,” rather than getting to see those reports myself. Instead, what I want is transparency into your security and auditing processes. How are audits conducted? By whom? How often? Can I see the results? How do they compare to other companies’ results?

    This is something that will benefit you as a company, and me as a customer. It works on the same “show me, don’t tell me” principle of open source code. Look at any regulated industry for examples. Does the FDA take a drug company’s word for it, or do they require detailed audit trails?

    • Julius says:

      So, you want to blame LastPass for (rather stupid) users going to malicious websites, and then claim these mailicious or compromised websites offer those sites to a targeted user only (there is no other way, if you read the attacks’ 101), those sites know the username of the LastPass user (which can be changed and made up to be as hard to guess as a password), and then hope and pray they can login without lastpass informing the user about suspicious logins, or lastpass noticing physically separated logins to one account at one time? Honestly, wake up. It’s more likely to be hit by lightning. First, try lastpass, go through its config and make sure you know what you’re doing.

  • Anonymous says:

    LastPass’ reaction to these vulnerabilities is disturbing. The line being fed to users is basically: “LastPass is bulletproof.” When vulnerabilities like this are discovered, the response is to play it down. I don’t think the potential for 1% of users, or even one user, to have their entire vault compromised is a minor risk.

    That said, all software is part of a living ecosystem. Vulnerabilities will always exist, and new ones will always continue to surface. What’s disturbing here is that LastPass has not done any root cause analysis into these bugs, or published any substantive information as to how they are going to improve their security measures. Independent security audits? Penetration testing? What are you guys actually doing to keep our data safe?

    • Amber Gott says:

      We do appreciate the feedback from our users, thank you for voicing your concerns. As we noted, these discoveries were reported to us about a year ago and were immediately fixed. The attacks were novel and valid – and also orchestrated in a targeted manner. A malicious person had to have tricked you into visiting evil.com and then must specifically have known your LastPass username to execute the attack. Further, if they managed to do this, they still wouldn’t have any plaintext data and would instead have to try to brute-force your master password to try to obtain actual data. These were server-side attacks, so our response reflects that.

      We do have regular independent penetration tests and security audits, and we work closely with independent security researchers. We also actively engage and solicit the security community and are on sites like bugcrowd.com.

      Thank you again for the input and please let us know if we can be of further help.