A bug revealing a password has been purged from LastPass

LastPass password manager developers fixed a vulnerability that allowed websites to steal credentials from the last account to which the user had logged in with the help of the user. Chrome or Opera extension.

The vulnerability was discovered last month by Tavis Ormandy, a researcher at Google Project Zero, who reported it privately to LastPass. In an article that was released Sunday, Ormandy said the flaw came from the way the extension generated pop-ups. In some situations, websites might create a pop-up window by creating an HTML iframe linked to the Lastpass popupfilltab.html window instead of the procedure for calling a function called do_popupregister (). In some cases, this unexpected method caused pop-ups to open with a password from the most recently visited site.

"Since do_popupregister () is never called, ftd_get_frameparenturl () simply uses the last value cached in g_popup_url_by_tabid for the current tab," Ormandy wrote. "This means that via a click hijacking, you can disclose the login information of the previous connected site for the current tab."

Click Hijacking is an attack class that hides the true destination of the site or resource displayed in a web link. In its most common form, click hijack attacks place a malicious link in a transparent layer over a visible link that seems harmless. Users who click on the link open the page or malicious resource rather than the one that seems safe.

"This will ask you if you are trying to click the click by filling in or copying the credentials, because frame_and_topdoc_has_same_domain () returns false," Ormandy continues. "You can ignore them because you can match them by looking for a site that will mimic an unreliable page."

The researcher then showed how a workaround could work by combining two domains into a single URL, such as https://translate.google.com/translate?sl=auto&tl=en&u=https://www.example.com/.

In a series of updates, Ormandy has described simpler ways to carry out the attack. He also described three other weaknesses he found in the extensions, namely: the handle_hotkey () did not check for trusted events, allowing sites to generate arbitrary keyboard shortcut events; a bug that allowed attackers to disable multiple security checks by placing the string "https://login.streetscape.com" in the code; a routine called LP_iscrossdomainok () that might bypass other security checks.

LastPass on Friday published an article in which an article stated that the bugs had been fixed and described the "limited set of circumstances" required for the vulnerabilities to be exploited.

"To exploit this bug, a LastPass user must take a series of actions, including completing a password with the LastPass icon, then visiting a compromised or malicious site and finally being fooled by clicking multiple times on the page ", LastPass representative Ferenc Kun wrote. "This exploit could result in the disclosure of LastPass' last site identification information, and we quickly worked on the development of a patch and verified that the solution was complete with Tavis."

Do not give up your password manager for the moment

This vulnerability highlights the disadvantage of password managers, an essential tool for good security hygiene, according to many security practitioners. By facilitating the creation and storage of a very unique password for each account, password managers offer a crucial alternative to reusing passwords. Password managers also make it easy to use strong passwords because users do not need to remember them. In the event that a website flaw exposes the user's passwords in a cryptographically protected form, the chances that someone is able to decrypt the hash are slim because the password in clear text is strong. Even in the event that the web site breach would leak passwords in clear text, the password manager ensures that only one account is compromised.

The disadvantage of password managers is that if they fail, the results can be severe. It is not uncommon for some people to use password managers to store hundreds of passwords, some for bank accounts, 401k and email accounts. In case of hacking the password manager, the identification information of multiple accounts may be exposed. Overall, I still recommend that most people use password managers, unless they devise another technique for generating and storing strong passwords that are unique to each account.