Popular password manager LastPass said it fixed two vulnerabilities that were found last year. The disclosure comes just ahead of a security conference where a research paper describing the problems is due to be presented.
Zhiwei Li, a research scientist at Shape Security, reported the flaws to LastPass in August 2013, which were "addressed immediately," LastPass wrote on its blog.
[ The Web browser is your portal to the world -- and the gateway for security threats. InfoWorld's expert contributors show you how to secure your Web browsers. Download the free PDF today! | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
Both flaws involved "bookmarklets," which assist in filling out stored password information when LastPass's plugin can't be used, such as when using a mobile browser.
One flaw could be exploited if a bookmarklet was used on a website rigged to attack it, LastPass wrote. The other vulnerability could allow an attacker to create a bogus one-time password (OTP) if a LastPass user was tricked into visiting a malicious website.
The OTP attack would require a hacker to know a person's username in order to exploit it and also serve a custom attack, LastPass wrote.
"Even if this was exploited, the attacker would still not have the key to decrypt user data," the company said.
Zhiwei co-authored a research paper that has been accepted by the Usenix Security Symposium, which starts in San Diego on Aug. 20.
The study analyzed five popular Web-based password managers: LastPass, RoboForm, My1login, PasswordBox, and NeedMyPassword, all of which run in a Web browser.
The researchers wrote that "in four out of the five password managers we studied, an attacker can learn a user's credentials for arbitrary websites."
LastPass wrote it didn't believe anyone other than Zhiwei exploited the flaws. Still, "if you are concerned that you've used bookmarklets before September 2013 on non-trustworthy sites, you may consider changing your master password and generating new passwords, though we don't think it is necessary."
Send news tips and comments to firstname.lastname@example.org. Follow me on Twitter: @jeremy_kirk