Softpedia
 
HomepageWindowsGamesDriversMacLinuxScripts buttonMobileHandheldNews

NEWS CATEGORIES:



NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
MEET THE EDITORS >>
Home > News > Security

March 1st, 2011, 07:19 GMT · By

LastPass Fixes Serious Cross-Site Scripting Vulnerability

SHARE:

Adjust text size:


LastPass tigthens its website's security
Enlarge picture
Password management service LastPass has fixed a serious cross-site scripting vulnerability on its website which could have been exploited to obtain sensitive information about other people's accounts.

LastPass allows users to generate secure passwords for each of their accounts and store them inside an encrypted container controlled by a master password.

The company offers extensions for all major browsers, which help with auto-fill and other operations, but the login details can also be accessed via its website.

The flaw on lastpass.com was discovered by a UK independent security researcher named Mike Cardwell who notified the company about it.

"I reported this vulnerability responsibly, and they fixed it within three hours," Cardwell writes. However, he adds that "if you're a LastPass user you should still be very concerned though;

"I believe this is ultimately a problem with their architecture and something which could easily happen again in future."

The vulnerability, which according to LastPass was a reflected cross-site scripting (XSS) one, could have been exploited by loading the vulnerable page in a frame on another website.

If the victim would have browsed that website while logged into LastPass, the attacker could have retrieved their email address, password reminder, list of sites and a history of their logins.

In a post on its official blog, LastPass assures users that the vulnerability was fixed before anyone had the chance to exploit it for malicious purposes.

"The cause of this issue was with our testing procedure for this particular case, which has been rectified," the company says adding that it has also made other security-related changes to its website.

One was to implement the HTTP Strict Transport Security (HSTS) policy which forces compatible browsers like Chrome and Firefox to always use HTTPS when connecting to the site.

It also improved input filtering and added the X-Frame-Options response header which tells browsers that loading content from the site in a frame is not allowed.

Finally, the company is also in the process of adding support for Mozilla's Content Security Policy (CSP) specification which can be used to restrict domains from which content can be loaded into the website.

TELL US WHAT YOU THINK:

1,116 hits · 1 comment · Link to this article · Print article · Send to friend · Subscribe to news

MUST-READ RELATED ARTICLES:


Researchers Find Serious RapidShare XSS Vulnerability
Serious DOM Vulnerabilities Found in Many Well-Funded Websites
PayPal and eBay XSSed Again

READER COMMENTS:


Comment #1 by: Steve on 01 Mar 2011, 18:37 UTC reply to this comment

this is enough for me not to use it yet. thank you for being so honest!!

Copyright © 2001-2012 Softpedia. Contact/Tip us at

WindowsGamesDriversMacLinuxScriptsMobileHandheldNews

SUBMIT PROGRAM   |   ADVERTISE   |   GET HELP   |   SEND US FEEDBACK   |   RSS FEEDS   |   UPDATE YOUR SOFTWARE   |   ROMANIAN FORUM
© 2001 - 2012 Softpedia. All rights reserved.
Softpedia® and the Softpedia® logo are
registered trademarks of SoftNews NET SRL.		 Copyright Information | Privacy Policy | Terms of Use