Password-exposing bug purged from LastPass extensions

Screenshot from gameshow Password.

Still image from the long-running but currently defunct gameshow Password.

Developers of the LastPass password manager have patched a vulnerability that made it possible for websites to steal credentials for the last account the user logged into using the Chrome or Opera extension.

The vulnerability was discovered late last month by Google Project Zero researcher Tavis Ormandy, who privately reported it to LastPass. In a write-up that became public on Sunday, Ormandy said the flaw stemmed from the way the extension generated popup windows. In certain situations, websites could produce a popup by creating an HTML iframe that linked to the Lastpass popupfilltab.html window rather than through the expected procedure of calling a function called do_popupregister(). In some cases, this unexpected method caused the popups to open with a password of the most recently visited site.

“Because do_popupregister() is never called, ftd_get_frameparenturl() just uses the last cached value in g_popup_url_by_tabid for the current tab,” Ormandy wrote. “That means via some clickjacking, you can leak the credentials for the previous site logged in for the current tab.”

Clickjacking is a class of attack that conceals the true destination of the site or resource displayed in a Web link. In its most common form, clickjacking attacks place a malicious link in a transparent layer on top of a visible link that looks innocuous. Users who click on the link open the malicious page or resource rather than the one that appears to be safe.

“This will prompt if you try to clickjack filling in or copying credentials though, because frame_and_topdoc_has_same_domain() returns false,” Ormandy continued. “This is possible to bypass, because you can make them match by finding a site that will iframe an untrusted page.”

The researcher then showed how a bypass might work by combining two domains into a single URLs such as:

https://translate.google.com/translate?sl=auto&tl=en&u=https://www.example.com/

In a series of updates, Ormandy described easier ways to carry out the attack. He also described three other weaknesses he found in the extensions, including:

  • the handle_hotkey() didn’t check for trusted events, allowing sites to generate arbitrary hotkey events
  • a bug that allowed attackers to disable several security checks by putting the string “https://login.streetscape.com” in code
  • a routine called LP_iscrossdomainok() that could bypass other security checks

On Friday, LastPass published a post that said the bugs had been fixed and described the “limited set of circumstances” required for the flaws to be exploited.

“To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times,” LastPass representative Ferenc Kun wrote. “This exploit may result in the last site credentials filled by LastPass to be exposed. We quickly worked to develop a fix and verified the solution was comprehensive with Tavis.”

Don’t ditch your password manager just yet

The vulnerability underscores the drawback of password managers, a tool that many security practitioners say is essential for good security hygiene. By making it easy to generate and store a strong password that’s unique for every account, password managers offer a crucial alternative to password reuse. Password managers also make it much easier to use passwords that are truly strong, since users need not memorize them. In the event that a website breach exposes user passwords in cryptographically protected form, the chances of someone being able to crack the hash are slim, since the plaintext password is strong. Even in the event that the website breach leaks passwords in plaintext, the password manager ensures that only a single account is compromised.

The downside to password managers is that if or when they fail, the results can be severe. It’s not unusual for some people to use password managers to store hundreds of passwords, some for banking, 401k, and email accounts. In the event of a password-manager hack, there’s the risk that the credentials for multiple accounts can be exposed. On the whole, I still recommend most people use password managers unless they devise another technique to generate and store strong passwords that are unique to every account.

One way to reduce the damage that can occur in the event of a password manager hack is to use multi-factor authentication whenever possible. By far, the cross-industry WebAuthn is the most secure and user-friendly form of MFA, but time-based one-time-password generated by authenticator apps are also relatively secure. And despite the criticism SMS-based MFA gets—for good reason, by the way—even meager protection would likely be enough to protect most people against account takeovers.

The LastPass bug was fixed in version 4.33.0. The extension update should automatically install on users’ computers, but it’s not a bad idea to check. While LastPass said the bug was limited to the Chrome and Opera browsers, the company has deployed the update to all browsers as a precaution.

Similar Posts: