Web surfers frustrated with the task of managing a forest of user names and passwords have been flocking to LastPass in an effort to simplify. But now a a security researcher says that a security flaw in that company’s Web site could reveal sensitive account details.
Mike Cardwell, an independent security researcher based in the United Kingdom wrote in a blog post on Saturday that he had discovered a cross site scripting flaw in LastPass’s Web site that allowed him to glean the account e-mail, as well as a list of Web sites belonging to a particular LastPass account. Cardwell wasn’t able to get LastPass to divulge account passwords, but he warned that such an attack may be possible.
LassPass is a popular online password management service. Users can download the company’s software for free and use it to manage their access to third party Web sites such as online banking and e-commerce sites, Webmail and so on. LastPass secures those account logins and provides features for generating strong passwords for online accounts. Users of the system need only remember their LastPass password to access the sites they want, rather than a dozen or more individual site passwords. However, LastPass’s role as a repository for sensitive account and financial information makes it a fat target for hackers. Cardwell reported the hole to LastPass, which issued a fix within hours and acknowledged the problem in a blog post.
The company claimed that no client data was impacted and admitted that shortcomings in its testing procedures were to blame for missing the cross site scripting hole. In addition, the site said it had implemented a number of changes to reduce the chances of other, similar attacks working. Among them, LastPass implemented HTTP Strict Transport Security (HSTS) for the Lastpass.com domain. That will ensure that Web browsers are forced to use SSL on that domain. (Currently, Chrome and Firefox 4 support HSTS). The company also said it was implementing “something very similar to Content Security Policy (CSP), currently a technology specification developed by Mozilla to allow Web designers and administrators to specify how content interacts on their Web sites.
But Cardwell said he is concerned that other Cross Site Scripting holes may be lurking on LastPass’s Web site. “As it stands, any XSS vulnerability leads to the exposure of a treasure trove of highly personal information. Perhaps its just inherently dangerous to outsource your password management to a third party.”
