Bug exposing password purged LastPass extensions

LastPass password manager developers fixed a vulnerability that allowed websites to steal credentials from the last account to which the user had logged in with the help of the user. Chrome or Opera extension.

The vulnerability was discovered last month by Tavis Ormandy, a researcher at Google Project Zero, who reported it privately to LastPass. In an article that was made public Sunday, Ormandy explained that the flaw came from the way the extension had generated pop-ups. In some situations, websites could create a pop-up window by creating an HTML iframe linked to the Lastpass popupfilltab.html window rather than the expected procedure of calling a function called do_popupregister (). In some cases, this unexpected method caused pop-ups to open with a password from the most recently visited site.

"Since do_popupregister () is never called, ftd_get_frameparenturl () simply uses the last value cached in g_popup_url_by_tabid for the current tab," Ormandy wrote. "This means that via a click hijacking, you can disclose the login information of the previous connected site for the current tab."

Click Hijacking is an attack class that hides the true destination of the site or resource displayed in a web link. In its most common form, click hijack attacks place a malicious link in a transparent layer over a visible link that seems harmless. Users who click on the link open the page or malicious resource rather than the one that seems safe.

"This will ask you if you are trying to click the click by filling in or copying the credentials, because frame_and_topdoc_has_same_domain () returns false," Ormandy continues. "You can ignore them because you can match them by looking for a site that will mimic an unreliable page."

The researcher then showed how a workaround could work by combining two domains into a single URL, for example:

https://translate.google.com/translate?sl=auto&tl=fr&u=https://www.example.com/

In a series of updates, Ormandy has described simpler ways to carry out the attack. He also described three other weaknesses he found in the extensions, namely:

• handle_hotkey () did not check trusted events, allowing sites to generate arbitrary keyboard shortcut events
• a bug that allowed attackers to disable multiple security checks by placing the string "https://login.streetscape.com" in the code
• a routine called LP_iscrossdomainok () that could avoid other security checks

LastPass on Friday published an article in which an article stated that the bugs had been fixed and described the "limited set of circumstances" required for the vulnerabilities to be exploited.

"To exploit this bug, a LastPass user must take a series of actions, including completing a password with the LastPass icon, then visiting a compromised or malicious site and finally being fooled by clicking multiple times on the page ", LastPass representative Ferenc Kun wrote. "This exploit could result in the disclosure of LastPass' last site identification information, and we quickly worked on the development of a patch and verified that the solution was complete with Tavis."

Do not give up your password manager for the moment

This vulnerability highlights the disadvantage of password managers, an essential tool for good security hygiene, according to many security practitioners. By facilitating the creation and storage of a very unique password for each account, password managers offer a crucial alternative to reusing passwords. Password managers also make it easy to use strong passwords because users do not need to remember them. In the event that a website flaw exposes the user's passwords in a cryptographically protected form, the chances that someone is able to decrypt the hash are slim because the password in clear text is strong. Even in the event that the web site breach would leak passwords in clear text, the password manager ensures that only one account is compromised.

The disadvantage of password managers is that if they fail, the results can be severe. It is not uncommon for some people to use password managers to store hundreds of passwords, some for bank accounts, 401k and email accounts. In case of hacking the password manager, the identification information of multiple accounts may be exposed. Overall, I still recommend that most people use password managers, unless they devise another technique for generating and storing strong passwords that are unique to each account.

One way to reduce the damage that can occur if the password manager is hacked is to use multi-factor authentication whenever possible. By far, WebAuthn Interprofessionnel is the most secure and user-friendly form of MFA, but a time-based one-time password generated by authentication applications is also relatively secure. And despite the criticisms sparked by the SMS-based MFA – rightly elsewhere – even meager protection would probably be enough to protect most people from account takeovers.

The LastPass bug has been fixed in version 4.33.0. The update extension should automatically install on users' computers, but it is not a bad idea to check. While LastPass said the bug was limited to Chrome and Opera browsers, the company deployed the update on all browsers as a precaution.