- #Lastpass browser extension vulnerabilities update
- #Lastpass browser extension vulnerabilities software
- #Lastpass browser extension vulnerabilities code
- #Lastpass browser extension vulnerabilities password
#Lastpass browser extension vulnerabilities code
This was the code (lpParseUri function, un-minified): However, the URL parsing code was flawed (bug in URL parsing? shocker!). First, the code parsed the URL to figure out which domain the browser was currently at, then it filled any login forms with the stored credentials.
The bug that allowed me to extract passwords was found in the autofill functionality. A few cups of coffee later, I found something that looked really, really bad. I started by noticing that the extension added some HTML code to every page I visited, so I decided to dig into how that worked.
#Lastpass browser extension vulnerabilities password
Sounds too bad to be true? That’s what I thought too before I decided to check out the security of the LastPass browser extension.įor those who don’t know, LastPass is one of the world’s most popular password managers. Stealing all your passwords by just visiting a webpage.
#Lastpass browser extension vulnerabilities update
If you are a Firefox user running LastPass 4.0 or later, an update will be pushed via your browser with the fix in version 4.1.21a." LastPass said in a blog post.Note: This issue has already been resolved and pushed to the Lastpass users. " The recent report only affects Firefox users. Update: LastPass has quickly patched the vulnerability reported by Tavis Ormandy and pushed an update with fix for all Firefox users using LastPass 4. In wake of the latest issue, users can avoid browser-based password managers and instead switch to offline versions, like KeePass.
Password managers still encourage you to use unique and complex passwords for every single site. Well, the issues in password managers are really worrying, but this doesn't mean that you should stop using password managers. This particular flaw has already been patched by the company within a day, and Karlsson has even been awarded with a bug bounty of $1,000.Īlso Read: Who's to Blame for Weak Passwords? Therefore, by abusing form auto-fill functionality, a hacker could steal victim's, let's say, Facebook password, by sending the POC URL containing to the victim. "By browsing this URL: the browser would treat the current domain as while the extension would treat it as ," Karlsson explained. This specific vulnerability resided in the autofill functionality of the LastPass browser extension, where a faulty regular expression for parsing the URL was allowing an attacker to spoof the targeted domain.
Similar Old Bug in LastPass Password Manager:Ĭoincidentally, another security researcher Mathias Karlsson also announced that he had uncovered some issues in LastPass, that has already been patched by the company.Ī specially crafted URL is enough to take complete control of its user's accounts.Īs Karlsson explained in a blog post published today, an attacker could send a specially-crafted URL to the victim in order to steal passwords from his/her vault. Since LastPass is working on a fix to the zero-day vulnerability, technical details about the issues have not been disclosed by the researcher.Īlso Read: Best Password Manager - For Windows, Linux, Mac, Android, iOS and Enterprise
Once compromise a victim's LastPass account, hackers would be able to access a treasure trove of passwords for victim's other online services. I'll send a report asap," Ormandy revealed on Twitter. " Are people really using this LastPass thing? I took a quick look and can see a bunch of obvious critical problems.
#Lastpass browser extension vulnerabilities software
Google Project Zero Hacker Tavis Ormandy discovered several security issues in the software that allowed him to steal passwords stored with LastPass. However, the password manager isn't as secure as it promises.Īlso Read: Popular Password Managers Are Not As Secure As You Think