LastPass informs its users that they need to change the master password for the service if they used bookmarklets before September 2013.

The reason is that they have been notified by a security researcher of a vulnerability regarding this feature, which could be leveraged against a user utilizing the bookmarklet on an attacking site.

The flaw was discovered by Zhiwei Li at UC Berkeley and there are no technical details about how the attack could be carried out.

However, LastPass addressed this issue and says that they have no evidence that the vulnerability was used in the wild.

“If you are concerned that you’ve used bookmarklets before September 2013 on non-trustworthy sites, you may consider changing your master password and generating new passwords, though we don’t think it is necessary,” reads a post from LastPass team.

Bookmarklets are a kind of bookmarks that can execute code on the visited, and they can be used to securely access information in the LastPass account when a LastPass plugin cannot be used.

Zhiwei also reported another security flaw, which would allow an attacker to use the LastPass username of a potential victim to create a fake OTP (one-time password) code.

This could be used in a targeted attack because the criminal should know the username of the victim’s account in order to compromise it. Also, even if the attack would be successful, the company says that “the attacker would still not have the key to decrypt user data.”

“Zhiwei only tested these exploits on dummy accounts at LastPass and we don't have any evidence they were exploited by anyone beyond himself and his research team. The reported issues were addressed immediately,” the blog post says.
Kepler Reviewed by Kepler on . LastPass Notifies of Password Change http://i1-news.softpedia-static.com/images/news-700/LastPass-Notifies-of-Password-Change.jpg LastPass informs its users that they need to change the master password for the service if they used bookmarklets before September 2013. The reason is that they have been notified by a security researcher of a vulnerability regarding this feature, which could be leveraged against a user utilizing the bookmarklet on an attacking site. The flaw was discovered by Zhiwei Li at UC Berkeley Rating: 5