The link below takes you to the best explanation I’ve seen on two recently disclosed LastPass security flaws. A few thoughts:
- The Bookmarklet vulnerability is the more serious of the two problems, but its exploitation would be difficult – you’d have to be on a rogue or compromised site, and then use the bookmarklet to try to log into that site. Less than 1% of LastPass users use the bookmarklet. Still, I’d venture a guess that most exploits come via compromised sites, so maybe this is a bigger problem than it seems.
- The One Time Password vulnerability would be unlikely to cause a problem, as someone would need to target you with your username, and even then the person would only have access to your encrypted data.
- Most concerning is how long it took LastPass to disclose these vulnerabilities after they were patched- about 10 months. The LastPass blog post made it sound like the company was giving the researcher a chance to publish his findings first. Sounds like PR spin to me, with the company having no choice but to discuss the fixed problem after the researcher disclosed it publicly.
I’ve been using 1Password since the start of the year, but I was a devoted LastPass user prior to that. I fell into the “less than 1%” of users who used the bookmarklet. In fact, the bookmarklet is what I miss the most in 1Password, as it made browsing in Safari on iOS much easier.
Despite the way LastPass seems to be downplaying this, this one is a serious stumble that should give users pause. Still, I think a password manager like LastPass is a much better alternative to the way that most people handle passwords.
∞ LastPass security holes found by researcher, says password management firm – but no need to panic | ESET Welivesecurity Blog