LastPass is one of the free and most popular online password managers where people can store user name/ID and password of different web accounts. Lately it’s been reported that researchers have found security holes in LastPass online password manager.
Lately LastPass has faced a couple of security holes that were found in its popular online password management software. That’s enough to send a shiver down the spines of the many internet users who trust the service to store its passwords securely, but the company says that there is no need to panic. In a blog post entitled “A note from LastPass“, the company has given brief details of the flaws found in its password manager for Chrome, Firefox, Opera and Safari. The gist of the details is as below:
- The first bug is tucked into LastPass’ less-used bookmarklet offering, not the more popular LastPass plugin. LastPass says “less than 1%” of its userbase uses these bookmarklets.
- With this first exploit, if a user clicked on LastPass’ bookmarklet while on a site specifically built with this hack in mind, LastPass could be coaxed into coughing up the user’s credentials for others sites, like Dropbox, Gmail, etc.
- A second bug involves LastPass’ “One Time Password” feature. This feature lets a user log in to LastPass with a self-destructing password that only works once. It’s useful in cases where you don’t necessarily trust the computer you’re using to not have a keylogger — like, say, a public library.
- The One-Time-Password bug is strictly targeted, requiring the attacker to know the potential victim’s LastPass username prior to the attack. They don’t believe it could target LastPass users blindly.
- According to the researchers, the second bug could actually be used for three different nasty purposes: obtaining a list of all sites the user is storing passwords for, obtaining an encrypted copy of a user’s password database, or blindly deleting credentials stored in a user’s password database.
- The bugs were discovered in August 2013 by a researcher at UC Berkeley, and fixed immediately.
LastPass has recommended its users to change their master password and generating new passwords (if they want), though LastPass doesn’t think it “necessary.”