LastPass fixed two software flaws in its popular password manager nearly a year ago after being informed of their existence by a researcher, the firm has admitted.
The firm used a blog to reveal the issues in the LastPass bookmarklets (an alternative to the plugin used by 99 percent of users), and the One Time Passwords (OTPs), which allows login using a once-only password.
Discovered by Zhiwei Li of UC Berkeley, the bookmarklet flaw could have caused a compromise had the user visited a site designed to exploit the issue while to make use of the OTP vulnerability as attacker would have had to know a user’s LastPass user name, the firm said. A more detailed explanation of the issues can be found in the co-authored paper.
“Zhiwei only tested these exploits on dummy accounts at LastPass and we don't have any evidence they were exploited by anyone beyond himself and his research team,” LastPass wrote.
“The reported issues were addressed immediately, as confirmed by their team, and we let them publish their research before discussing it.”
These aren't on the face of it major issues for LastPass because neither was exploited and both were fixed. However, there will be questions over the length of time it has taken to inform the world of their existence which has happened in advance of a presentation on the topic at a forthcoming security conference.
“We appreciate that, as the most popular password manager in the world, we have an active, dedicated community that challenges us to be better and is committed to helping us improve the security of our service. Again, we thank Zhiwei and his team for their important research,” said LastPass.
LastPass’s last significant security worry was probably the 2011 ‘hack’ which led to the firm requesting its users reset their master password as a precaution. Although described as a minor issue the extent of the compromise that sparked the warning was never made clear.