How I made LastPass give me all your passwords

[Batu69]

For those who don’t know, LastPass is one of the worlds most popular password managers.

I started by noticing that the extension added some HTML code to every page I visited, so I decided to dig into how that worked. A few cups of coffee later, I found something that looked really, really bad.

The issue

The bug that allowed me to extract passwords was found in the autofill functionality. First, the code parsed the URL to figure out which domain the browser was currently at, then it filled any login forms with the stored credentials.

However, the URL parsing code was flawed (bug in URL parsing? shocker!).

 

This was the code (lpParseUri function, un-minified):

var fixedURL = URL.match(/^(.*:\/\/[^\/]+\/.*)@/);
fixedURL && (url = url.substring(0, fixedURL[1].length) + url.substring(fixedURL[1].length).replace(/@/g, "%40"));

By browsing this URL: http://avlidienbrunn.se/@twitter.com/@hehe.php the browser would treat the current domain as avlidienbrunn.se while the extension would treat it as twitter.com. Since the code only URL encodes the last occurence of @, the actual domain is treated as the username portion of the URL.

Too bad to be true?

Below you see that the extension would fill my form with the stored credentials for twitter.com. After that I could simply go through other commonly used sites and extract credentials for those too.

 

 

I reported this to LastPass through their responsible disclosure page and the report was handled very professionally. The fix was pushed in less than a day(!), and they even awarded me with a bug bounty of $1,000.

Are passwords managers bad?

Should we stop using password managers? No. They are still much better than the alternative (password reuse).

Although, taking a second to disable autofill functionality is a good move because this isn’t the first autofill bug we’ve seen, and I doubt it will be the last.

 

Also, this would not work if multi factor authentication was on, so you should probably enable that as well.

 

Article source

 

LastPass Remote Compromise vulnerability

[Petrovic]

Security is fundamental to what we do here at LastPass. Our first priority is always responding to and fixing reports as quickly as possible.

In follow-up to recent news, we want to address in more detail two security reports that have been disclosed to our team. One report was disclosed yesterday, while the other report was responsibly reported and fixed over a year ago. Notably, both exploits do require tricking a user via a phishing attack into going to a malicious website.

The first report was responsibly disclosed to our team over a year ago by security researcher Mathias Karlsson, and fixed at that time. Karlsson recently posted his findings on the URL parsing bug. All browser clients were updated and Karlsson confirmed our fix at that time, requiring no action from our users.

The second report was made yesterday by Google Security Team researcher Tavis Ormandy, who contacted our team to report a message-hijacking bug that affected the LastPass Firefox addon. First, an attacker would need to successfully lure a LastPass user to a malicious website. Once there, Ormandy demonstrated that the website could then execute LastPass actions in the background without the user’s knowledge, such as deleting items. As noted below, this issue has been fully addressed and an update with a fix was pushed for all Firefox users using LastPass 4.0.

Further recommendations
We know the LastPass community is very security savvy, but as a reminder LastPass strongly recommends the following general best practices for online security:

• Beware of phishing attacks. Do not click on links from people you don’t know, or that seem out of character from your trusted contacts and companies.
• Use a different, unique password for every online account.
• Use a strong, secure master password for your LastPass account that you never disclose to anyone, including us.
• Turn on two-factor authentication for LastPass and other services like your bank, email, Twitter, Facebook, etc.
• Keep a clean machine by running antivirus and keeping your software up-to-date.

Thank you again to Tavis and Matthias, and others in the security community, for their responsible disclosure. We value their work that helps us build a stronger, more secure product.
____
We want to share a quick update with the LastPass community about important fixes that we have made in response to two recent security reports. Our team worked directly with the security researchers to verify the reports made and issue a fix to LastPass users.

The recent report only affects Firefox users. If you are a Firefox user running LastPass 4.0 or later, an update will be pushed via your browser with the fix in version 4.1.21a. If you would like to update your client proactively, you can update with our download link here: https://lastpass.com/lastpassffx. You can check which version you are running in your LastPass browser addon, under the More Options menu in About LastPass. If you are running LastPass 3.0, you are not impacted and do not need to update.

Other browsers are not impacted by this report, and users do not need to take action for other browsers.

As always, we appreciate the work of the security community to challenge our product and ensure we deliver a secure service for our users. More information on these fixes will be posted here shortly.

https://blog.lastpass.com/2016/07/lastpass-security-updates.html/