Joe Siegrist, a cofounder and Vice President of LastPass, has this to say regarding the information: “We greatly appreciate the work of the security community to challenge our product and uncover areas that need improvement.”Īs per the policies of Project Zero, LastPass has 90 days before Ormandy and friends release the technical details of the vulnerability. After all, it’s better that vulnerabilities are found before they are a problem rather than after they have been exploited in the wild. You would think that developers are offended when people find problems in their services, but LastPass has accepted the issue report quite graciously.
Like any good developer, LastPass has expressed its commitment to solving this problem, acknowledging the threat as a legitimate issue that must be resolved.
#Lastpass browser extension vulnerability code
Any user who logs in or out could receive malicious code from the website that they are accessing. To make matters worse, the only requirements for this vulnerability to be exploited is that the extension needs to be installed. This vulnerability can be found in all extensions for major browsers, including browsers used by Windows, Linux, and potentially even Apple. Tavis Ormandy showed that LastPass’ browser extension can allow malicious websites to access the passwords stored within-even with LastPass’ considerable security measures. Google researchers from the Zero Day Project discovered this, along with other flaws within LastPass.
#Lastpass browser extension vulnerability update
Update #2 2016.07.28: Lastpass have made a comment regarding Mathias finding on their blog.One of the major password managers out there, LastPass, has become the victim of a major vulnerability.
At the time Mathias submitted this they didn’t have a bug bounty so he was more than satisfied with $1,000. Update #1 2016.07.28: There has been a lot of comments regarding the reward Mathias received from Lastpass. They are still much better than the alternative (password reuse).Īlthough, taking a second to disable autofill functionality is a good move because this isn’t the first autofill bug we’ve seen, and I doubt it will be the last.Īlso, this would not work if multi factor authentication was on, so you should probably enable that as well. Should we stop using password managers? No. The fix was pushed in less than a day(!), and they even awarded me with a bug bounty of $1,000. I reported this to LastPass through their responsible disclosure page and the report was handled very professionally. After that I could simply go through other commonly used sites and extract credentials for those too.
Too bad to be true?īelow you see that the extension would fill my form with the stored credentials for. Since the code only URL encodes the last occurence of the actual domain is treated as the username portion of the URL. Var fixedURL = & (url = url.substring(0, fixedURL.length) + "%40")) īy browsing this URL: the browser would treat the current domain as while the extension would treat it as. This was the code (lpParseUri function, un-minified): However, the URL parsing code was flawed (bug in URL parsing? shocker!). First, the code parsed the URL to figure out which domain the browser was currently at, then it filled any login forms with the stored credentials. The bug that allowed me to extract passwords was found in the autofill functionality. A few cups of coffee later, I found something that looked really, really bad. I started by noticing that the extension added some HTML code to every page I visited, so I decided to dig into how that worked. Sounds too bad to be true? That’s what I thought too before I decided to check out the security of the LastPass browser extension.įor those who don’t know, LastPass is one of the world’s most popular password managers. Stealing all your passwords by just visiting a webpage. Note: This issue has already been resolved and pushed to the Lastpass users.
0 kommentar(er)
