Last Monday, popular password manager 'The Last Password' have notifies its users to change their master password for the security concerns. The announcement is made because, in 2013, a security researcher Zhiwei Li from UC Berkeley, have notified the vulnerability which could be leveraged against a user utilizing the bookmarklet on an attacking site.
Password manager team have not discuss the technical details of the vulnerability, but they have said that bookmarklets is actively used by less than 1% of the user base. Zhiwei discovered one issue that could be exploited if a LastPass user utilized the bookmarklet on an attacking site, and another issue if the LastPass user went to an attacking site while logged into LastPass, and used their username to potentially create a bogus OTP - they added.
On the blog post The Last Password team wrote-
Researcher Zhiwei have only tested its exploits on the dummy accounts of the Last Password, and password manager team didn't have any evidence that the vulnerability is being exploited by anyone.
Zhiwei have also reported another vulnerability which would allow an attacker to use the LastPass username of a potential victim to create a fake OTP (one-time password) code. For this attack, attacker should have the targeted UserID and if any case the attack successful, the company says that “the attacker would still not have the key to decrypt user data.”
On the blog post The Last Password team wrote-
“If you are concerned that you've used bookmarklets before September 2013 on non-trustworthy sites, you may consider changing your master password and generating new passwords, though we don’t think it is necessary,”
Researcher Zhiwei have only tested its exploits on the dummy accounts of the Last Password, and password manager team didn't have any evidence that the vulnerability is being exploited by anyone.
Zhiwei have also reported another vulnerability which would allow an attacker to use the LastPass username of a potential victim to create a fake OTP (one-time password) code. For this attack, attacker should have the targeted UserID and if any case the attack successful, the company says that “the attacker would still not have the key to decrypt user data.”
UPDATE:-
Researcher have tested the same exploit on the other four Password Manager too, RoboForm My1Login, PasswordBox and NeedMyPassword and all five (including LastPassword) was found vulnerable. Researcher have reported the Vulnerability to all of them, only NeedMyPassword have ddin't respond to the vulnerability report, and other four have now fixed the vulnerability.