On Friday our favorite password manager LastPass published a nonchalant blog post about two vulnerabilities discovered by researcher Zhiwei Li last year. The first issue involved a flaw in their bookmarklet implementation that could allow malicious websites to download credentials for other sites. The second vulnerability could allow an attacker to download someone’s encrypted password vault through a flaw in their one-time-password function. Everything has since been fixed and their only recommendation is to change your master password if you are really concerned.
The thing that irks us though is LastPass’s efforts to purposefully downplay the pair of vulnerabilities to their users. First, they minimized the exposure of the weaknesses by using a generic title for their blog post – “A Note from LastPass.” No mention of a vulnerability or a security issue … just “hey, here’s a boring note that you probably don’t want to read.” Next, LastPass posted the article late Friday to further limit the exposure of the news. And then they didn’t even post it to their Twitter or Facebook accounts like they do with their normal blog posts. Finally, they waited almost AN ENTIRE YEAR to let us know.
We are huge fans of LastPass and yes, they will continue to get our $12 a year per user, but trying to minimize security issues like this to their primarily security-conscience user base is not a step in the right direction.
Source: “LastPass security holes found by researcher, says password management firm – but no need to panic” – WeLiveSecurity.com
So what do you think LastPass was thinking with how they handled these vulnerabilities? Let us know in the comments below. Today’s post pic is from WikiMedia.org. See ya!