LastPass Sadly Downplays Pair of Year-Old Vulnerabilities

LastPassOn Friday our favorite password manager LastPass published a nonchalant blog post about two vulnerabilities discovered by researcher Zhiwei Li last year. The first issue involved a flaw in their bookmarklet implementation that could allow malicious websites to download credentials for other sites. The second vulnerability could allow an attacker to download someone’s encrypted password vault through a flaw in their one-time-password function. Everything has since been fixed and their only recommendation is to change your master password if you are really concerned.

The thing that irks us though is LastPass’s efforts to purposefully downplay the pair of vulnerabilities to their users. First, they minimized the exposure of the weaknesses by using a generic title for their blog post – “A Note from LastPass.” No mention of a vulnerability or a security issue … just “hey, here’s a boring note that you probably don’t want to read.” Next, LastPass posted the article late Friday to further limit the exposure of the news. And then they didn’t even post it to their Twitter or Facebook accounts like they do with their normal blog posts. Finally, they waited almost AN ENTIRE YEAR to let us know.

We are huge fans of LastPass and yes, they will continue to get our $12 a year per user, but trying to minimize security issues like this to their primarily security-conscience user base is not a step in the right direction.

Source: “LastPass security holes found by researcher, says password management firm – but no need to panic” – WeLiveSecurity.com

#####

So what do you think LastPass was thinking with how they handled these vulnerabilities? Let us know in the comments below. Today’s post pic is from WikiMedia.org. See ya!

9 comments for “LastPass Sadly Downplays Pair of Year-Old Vulnerabilities

  1. July 14, 2014 at 1:05 am

    LastPass Sadly Downplays Pair of Year-Old Vulnerabilities http://t.co/TYrzOUSCLE

  2. July 14, 2014 at 1:43 am

    BLOGGED: LastPass Sadly Downplays Pair of Year-Old Vulnerabilities http://t.co/zOtrxkMmSz

  3. July 14, 2014 at 2:35 am

    #NOVABLOGGER: LastPass Sadly Downplays Pair of Year-Old Vulnerabilities http://t.co/xU6pW4Ex70 http://t.co/GwHKpXhe0C

  4. July 14, 2014 at 9:36 am

    LastPass Sadly Downplays Pair of Year-Old Vulnerabilities | NoVA Infosec https://t.co/cZXcUZm9JJ

  5. July 14, 2014 at 10:41 am

    🙁 RT @novainfosec: LastPass Sadly Downplays Pair of Year-Old Vulnerabilities http://t.co/ZH0V4rKdzL

  6. Billy
    July 14, 2014 at 11:38 am

    Did anyone ask WHY they waited to publicly disclose?

  7. July 14, 2014 at 2:37 pm

    [email protected] Luv you guys and will continue to use but please don’t turn into one of “those” companies. http://t.co/9iWkWXlrQc

  8. July 16, 2014 at 2:00 pm

    LastPass Sadly Downplays Pair of Year-Old Vulnerabilities – see our post for more info http://t.co/qQrtLL0N7F #infosec

  9. July 17, 2014 at 9:02 am

    LastPass Sadly Downplays Pair of Year-Old Vulnerabilities – see our post for more info http://t.co/on3Oa3OBic #infosec

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.