14 DAY TRIAL // July 27, 2016, will not be remembered as a quiet day for the LastPass team, as two vulnerabilities surfaced online that could allow an attacker to compromise their application.
The first one is an issue discovered by Mathias Karlsson of Detectify. The researcher explains in a blog post that the problem resided in the JavaScript code that parsed the URL of the page LastPass was working on.
LastPass could be tricked into spewing out credentials for other sites
He discovered that by tricking a user into accessing a URL in the form of attacker-site.com/@twitter.com/@script.php, the LastPass URL parsing function would be fooled into thinking it was on the twitter.com site, instead of attacker-site.com.
Because LastPass comes with an auto-fill function, the application would have pre-filled any login forms on that page with the user's credentials.
If the attacker ran JavaScript code on that site that automatically parsed and recorded any text filled in the login forms, he would have been able to extract the user's credentials.
The good news is that Karlsson informed LastPass of the issue a while back, and the dev team fixed the problem on the same day, pushing out an update to their app.
Project Zero researcher finds second bug
However, Karlsson wasn't the only one who hacked LastPass. Google Project Zero top researcher Tavis Ormandy also discovered an issue that would have led to a complete LastPass compromise.
The bad news is that this issue is not patched in current LastPass versions. The good news is that nobody except Ormandy and the LastPass team knows what this problem is, making it highly improbable for anyone to exploit it.
This would regularly be called a zero-day vulnerability, but this is not the case since nobody can take advantage of it before being patched.
UPDATE [July 27, 2016]: The LastPass team has fixed the second flaw as well. The team describes the problem on their blog as such:
“ The second report was made yesterday by Google Security Team researcher Tavis Ormandy, who contacted our team to report a message-hijacking bug that affected the LastPass Firefox addon. First, an attacker would need to successfully lure a LastPass user to a malicious website. Once there, Ormandy demonstrated that the website could then execute LastPass actions in the background without the user’s knowledge, such as deleting items. As noted below, this issue has been fully addressed and an update with a fix was pushed for all Firefox users using LastPass 4.0. ”
Are people really using this lastpass thing? I took a quick look and can see a bunch of obvious critical problems. I'll send a report asap. — Tavis Ormandy (@taviso) July 26, 2016
OK OK, I get it, lots of people use LastPass. If you work there, please contact me ASAP and let's get this fixed. — Tavis Ormandy (@taviso) July 26, 2016
Full report sent to LastPass, they're working on it now. Yes, it's a complete remote compromise. Yes, I promise I'll look at 1Password. — Tavis Ormandy (@taviso) July 27, 2016