LastPass Chrome & Firefox Extensions Affected by Critical Bug

[CrAKeN]

 

LastPass faced critical vulnerabilities

 

LastPass, the password vault that you were supposed to trust with your information, was affected by a critical security flaw. Thankfully, the company has already patched things up.

 

This wasn't even some very complicated problem, but rather a coding error. At least that's the opinion of Google's Tavis Ormandy, security expert that has detected numerous problems over the years, including the recent Cloudflare incident.

 

The white hat found the issue within the LastPass Chrome extension. According to Ormandy, the extension had an exploitable content script that could be attacked to extract passwords from the manager. It could also be pushed to execute commands on the victim's computer, which the Google hacker demonstrated easily.

 

"This script will proxy unauthenticated window messages to the extension. This is clearly a mistake," Ormandy writes.

 

Nothing was safe

Since LastPass works by storing passwords in the cloud, the browser extension is your link to the LastPass account, helping you save new information as you browse the Internet.

 

The vulnerability made it dangerous for users to even browse a malicious website as all your passwords could have been picked up by attackers.

 

"This allows complete access to internal privileged LastPass RPC commands. There are hundreds of internal LastPass RPCs, but the obviously bad ones are things copying and filling in passwords (copypass, fillform, etc)," Ormandy added in his report.

It seems that all one needed to exploit the vulnerability was two simple lines of JavaScript code.

 

Thankfully, LastPass has already fixed the issue within its Chrome extension by disabling 1min-ui-prod.service.lastpass.com. As always, the company had been notified early on about the discovered vulnerability and worked directly with Tavis to verify the report and to create and issue a fix.

 

Firefox too

A similar vulnerability was then discovered within the LastPass Firefox extension, a bug that could be exploited by malicious webpages to extract passwords straight from the manager.

 

It looks like LastPass has already issued a patch to fix the addon, but the updated version is in Mozilla's review process so it may take a little bit longer for it to go live.

 

Source

[CrAKeN]

 

LastPass bills itself as a way to simplify your life by storing all your passwords and account details in one place. However, it’s looking a little less convenient now, as the service deals with its second major security flaw in as many weeks. LastPass is in the process of patching a security hole that could allow an attacker to execute remote code on your machine and access your passwords. Really, the worst possible scenario you can imagine.

 

For the uninitiated, LastPass exists as a browser extension and mobile app. When you set up an account, LastPass helps you generate strong passwords and store your logins with its encrypted vault. It also supports form fill profiles for content like credit cards and shipping addresses. If you use LastPass, it could contain the very keys to your online existence.

 

The new exploit in the browser extension was discovered by Google Project Zero researcher Tavis Ormandy, who also found the exploit LastPass rushed to patch last week. The two exploits have similar consequences, allowing an attacker to gain access to your LastPass data and run code on your machine without your knowledge. All you’d need to do is visit a malicious website, and your data could be snatched. Importantly, this will only work if you’re logged into LastPass. If you are logged out, the data archive is still encrypted.

 

According to Ormandy, the flaw is most severe when a user has the LastPass binary component enabled. The binary controls some of LastPass’ advanced features like importing/exporting data, fingerprint authentication, and attachments for secure notes. You may already have it turned on, but there are ways an attacker could trick you into enabling it anyway. Without the binary, the attack can’t run arbitrary code on your machine. It still leaves your passwords wide open, though.

 

Quote

 

 

Ah-ha, I had an epiphany in the shower this morning and realized how to get codeexec in LastPass 4.1.43. Full report and exploit on the way. pic.twitter.com/vQn20D9VCy

— Tavis Ormandy (@taviso) March 25, 2017

 

 

The exploit was confirmed by Ormandy on Linux and Windows, but he suspects it will work on macOS as well. Basically, anywhere the LastPass browser extension runs, the flaw is present. In fairness, LastPass takes security very seriously. It fired off a patch for the last exploit in a few days, and it’s already responded to the new report by Ormandy. It describes the attack as “highly sophisticated,” but we won’t know for sure how it works until there’s a patch. At that point, the method will be made public. Ormandy thinks it will take a while to fix this vulnerability as it’s a “major architectural problem.”

 

In the meantime, users of LastPass are encouraged to avoid seedy areas of the internet and enable two-factor authorization on all services that support it. There’s no evidence that the exploit is active in the wild, but better safe than sorry.

 

Source

[Batu69]

Topic merged.