LastPass touts itself as the most secure web-based password manager for Internet users who can't memorize hundreds of passwords for their various online accounts, but when LastPass discovers a vulnerability in its products, major trust issues are sure to crop up.
The company revealed Friday that researchers from the University of California in Berkeley found two security holes in the LastPass password manager that could potentially allow attackers from exploiting the system and attempting to retrieve millions of stored passwords in the company's servers.
LastPass describes the first vulnerability a "novel" one, due to the fact that it concerns its bookmarklets, one of its less used products. The company says only 1% of LastPass users have bookmarklets in place, since the overwhelming majority of users prefer its more comprehensive browser plugin. Bookmarklets are special kinds of bookmark buttons that lets users initiate a LastPass action on any web page, such as Login, Autofill or Fill Forms.
Using dummy accounts, the researchers found that if a user clicks one of these bookmarklets when visiting a malicious website, the website could force LastPass to reveal the user's credentials for other websites, such as Gmail or Dropbox.
"Any website where the user clicks the bookmarklet can learn these pseudo-identifiers h and _LASTPASS_RAND," explains (pdf) the researchers led by Zhiwei Li in a paper. "This allows colluding websites to track a user, violating the user's privacy expectations. Additionally, this also allows a single website to identify and link multiple accounts belonging to the same issues, which violates the unlinkability goal."
The second security hole involves the use of one-time passwords, a useful feature that allows users to create self-destructing passwords in cases where the user wants to use that password only once, such as when he's working at a public computer at the local library. LastPass says this is a "targeted attack," which prevents hackers from exploiting random users' LastPass accounts because they have to know the users' usernames for them to exploit one-time passwords.
Even if the attacker gets hold of a username, he still would have to go through the rigors of decrypting the user's passwords, which is very difficult unless he has the encryption key. However, Li and his colleagues say that a hacker can still obtain a list of websites the user has passwords for, steal an encrypted copy of the password list or delete the entire list altogether.
Still, LastPass is not worried, saying that users can change their passwords if they wish, "though we don't think it's necessary." The vulnerabilities were first discovered in August last year, and the company says it waited for the research team to publish the results of their study before telling their customers about it.
"Zhiwei only tested these exploits on dummy accounts at LastPass and we don't have any evidence they were exploited by anyone beyond himself and his research team," says LastPass in a blog post. "The reported issues were addressed immediately, as confirmed by their team, and we let them publish their research before discussing it."