LastPass Password Manager developers have fixed a vulnerability that allowed websites to steal credentials for the last account that the user logged in with the Chrome or Opera extension.
The vulnerability was discovered late last month by Google Project zero researcher Tavis Ormandy, who privately reported it to LastPass. In an article published on Sunday, Ormandy said the error comes from the way the extension generates popup windows. In certain situations, Web sites can pop up by creating an HTML iframe associated with the lastpass popupfilltab.html window instead of performing the expected procedure to call a function called do_popupregister (). In some cases, this unexpected method caused the pop-ups to open with the password of the last visited site.
"Because do_popupregister () is never called, ftd_get_frameparenturl () uses only the last cached value in g_popup_url_by_tabid for the current tab." Ormandy wrote. "This means that clickjacking will cause you to lose the credentials for the previous site that is signed in to the current tab."
Clickjacking is an attack class that hides the true destination of the site or resource that appears in a web link. In the most common form, clickjacking attacks place a malicious link in a transparent layer over a visible link that looks harmless. Users clicking on the link will open the malicious page or resource, not those that appear safe.
"However, this will prompt you if you try to populate or copy credentials with clickjack because frame_and_topdoc_has_same_domain () returns false," Ormandy continues. "This can be circumvented because you can make an association by looking for a site that frames an untrusted page."
The researcher then showed how a workaround can work by combining two domains into a single URL, e.g. B .: [1
In a series of updates, Ormandy described the simpler methods of performing the attack. He also described three other vulnerabilities that he found in the extensions, including:
- handle_hotkey () did not test for trusted events so that Web sites could generate any kind of hotkey event
- . A bug that allowed attackers to disable multiple security checks Set the string "https://login.streetscape.com" in code
- a routine called LP_iscrossdomainok () that could bypass other security checks
LastPass published a post on Friday in which the bugs have been fixed and described the "limited circumstances" that are required for the exploitation of the errors.
"To exploit this bug, a LastPass user would have to perform a number of actions, such as filling in a password with the LastPass icon, and then visiting a victim or malicious page, and then, several times, tempting to the page click ", wrote LastPass representative Ferenc Kun. "This exploit may result in the last site credentials LastPass has posted, and we've been quick to work on developing a fix to see if the solution with Tavis is comprehensive."
Do not let go of your password manager
The vulnerability highlights the drawback of password managers, a tool that many security experts believe is essential for good safety. By simply creating and storing a strong password that is unique to each account, password managers provide a critical alternative to reuse passwords. With password managers, it's also much easier to use really secure passwords because users do not have to remember them. In the event that a site violation indicates user passwords in cryptographically protected form, there is little chance of someone being able to crack the hash because the plaintext password is strong. Even in the event that the website violates passwords in plain text, the password manager ensures that only a single account is compromised.
The disadvantage of password managers is that the results can be severe if they fail. It is not uncommon for some users to use password managers to store hundreds of passwords, some for bank, 401k, and email accounts. A password manager hack runs the risk of revealing the credentials for multiple accounts. Overall, I still recommend that most users use password managers unless they develop another technique for generating and storing strong passwords that are unique to each account is the use of multi-factor authentication whenever possible is. By far, cross-industry WebAuthn is the most secure and easy-to-use form of MFA, but the time-based one-time password generated by authenticator apps is also relatively secure. And despite the criticism that SMS-based MFA receives – for a good reason, by the way – low protection would probably be enough to protect most people from taking over accounts.
The LastPass error has been fixed in version 4.33.0. The extension update should be automatically installed on users' computers, but it is not a bad idea to check this. While LastPass stated that the bug was limited to the Chrome and Opera browsers, the company provided the update as a precaution to all browsers.