In a time where security is so important and where companies try to hide security breaches from their customers, in comes LastPass showing that trust means to step up to issues as you find them, admitting when things go sour and fixing them before they become an issue. In their recent blog post, LastPass noted that the bugs were discovered in August 2013 by a researcher at UC Berkeley and fixed immediately, all with no evidence that any of their users were affected.
From their blog post:
In August 2013, a security researcher at UC Berkeley, Zhiwei Li, contacted us to responsibly disclose novel vulnerabilities with the LastPass bookmarklets (actively used by less than 1% of the user base) and One Time Passwords (OTPs)
Lastpass said they are just now speaking of it because they wanted to allow the research team publish their research on their own schedule.
Here is what LastPass recommends:
If you are concerned that you’ve used bookmarklets before September 2013 on non-trustworthy sites, you may consider changing your master password and generating new passwords, though we don’t think it is necessary.
An excerpt from the research paper:
We conduct a security analysis of five popular web-based password managers. Unlike “local” password managers, web-based password managers run in the browser. We identify four key security concerns for web-based password managers and, for each, identify representative vulnerabilities through our case studies. Our attacks are severe: in four out of the five password managers we studied, an attacker can learn a user’s credentials for arbitrary websites. We find vulnerabilities in diverse features like one-time passwords, bookmarklets, and shared passwords. The root-causes of the vulnerabilities are also diverse: ranging from logic and authorization mistakes to misunderstandings about the web security model, in addition to the typical vulnerabilities like CSRF and XSS.
Our study suggests that it remains to be a challenge for the password managers to be secure. To guide future development of password managers, we provide guidance for password managers. Given the diversity of vulnerabilities we identified, we advocate a defense-in-depth approach to ensure security of password managers.