LastPass has patched a vulnerability in its Firefox add-on found by Google Project Zero researcher Tavis Ormandy that allows attackers complete remote compromise of the password manager, .
The divisive Ormandy submitted a bug report on Tuesday to LastPass after a series of tweets hinting at serious problems in the password manager. Ormandy has been behind a number of high-profile private bug disclosures to major security vendors in the past, including Kaspersky Lab, Symantec, Trend Micro, Sophos and others.
Are people really using this lastpass thing? I took a quick look and can see a bunch of obvious critical problems. I'll send a report asap.
— Tavis Ormandy (@taviso) July 26, 2016
Full report sent to LastPass, they're working on it now. Yes, it's a complete remote compromise. Yes, I promise I'll look at 1Password.
— Tavis Ormandy (@taviso) July 27, 2016
Ormandy published a report on the Project Zero bug repository that explains how LastPass 4.1.20a for Windows add-on injects elements and event handlers into a webpage; a click event handler, he said, instructs the add-on to create a privileged iframe.
Ormandy wrote:
“A page can click the LastPass icon programatically with javascript by creating a MouseEvent() with the right x:y coordinates. Normally a page would not be permitted to navigate to a resource:// url, but this just asks the add-on to do it.
The frame communicates with the add-on by posting messages to the window, and an eventhandler on the window determines if it’s trusted or not by checking the origin. But that does not make sense, because the window belongs to the attacker so they can just insert their own eventhandler before yours and modify legitimate messages!”
Ormandy provided sample code that he said should trick LastPass into processing an openURL command.
“This allows access to any of the privileged LastPass RPCs, so this is a complete compromise of the lastpass addon,” he wrote. “From here an attacker can create and delete files, execute script, steal all passwords, log victims into their own lastpass account so that they can steal anything new saved there, etc, etc.”
LastPass said this attack requires a hacker to trick a user into visiting a website hosting an exploit, either via a phishing message or other means.
“First, an attacker would need to successfully lure a LastPass user to a malicious website,” LastPass said in a statement. “Once there, Ormandy demonstrated that the website could then execute LastPass actions in the background without the user’s knowledge, such as deleting items.”
LastPass said Ormandy’s bug affects only Firefox users and an update will be pushed to the browser with the patched version, 4.1.21a; a download of the patch is also available. LastPass said LastPass 3.0 is not affected by this vulnerability, and neither are other browsers. Ormandy was given an unnamed cash reward by LastPass, which he donated to Amnesty International.
Also on Wednesday, researcher Mathias Karlsson of Detectify Labs disclosed details of a separate LastPass flaw that was patched more than a year ago, LastPass said.
The vulnerability, Karlsson said, is in the LastPass browser extension and allowed him to steal user passwords just by forcing them to visit a website. He earned a $1,000 bounty from the company.
Karlsson said the extension added HTML code to every page he visited, prompting him to investigate further. Karlsson wrote:
“The bug that allowed me to extract passwords was found in the autofill functionality. First, the code parsed the URL to figure out which domain the browser was currently at, then it filled any login forms with the stored credentials.
However, the URL parsing code was flawed (bug in URL parsing? shocker!).By browsing this URL: http://avlidienbrunn[.]se/@twitter[.]com/@hehe[.]php the browser would treat the current domain as avlidienbrunn.se while the extension would treat it as twitter.com. Since the code only URL encodes the last occurence of @, the actual domain is treated as the username portion of the URL.”
From this example, Karlsson showed how the LastPass extension would fill in his form with his stored Twitter credentials; he could then extract credentials for any site in this manner.
“All browser clients were updated and Karlsson confirmed our fix at that time, requiring no action from our users,” LastPass confirmed.