A flaw in LastPass password manager leaks credentials from previous site
An expert discovered a flaw in the LastPass password manager that exposes login credentials entered on a site previously visited by a user.
Tavis Ormandy, the popular white-hat hacker at Google Project Zero, has discovered a vulnerability in the LastPass password manager that exposes login credentials entered on a site previously visited by a user.
On September 12, 2019, LastPass has released an update to address the vulnerability with the release of the version 4.33.0.
“Hello, I noticed that you can create a popup without calling do_popupregister() by iframing popupfilltab.html (i.e. viamoz-extension, ms-browser-extension, chrome-extension, etc). It’s a valid web_accessible_resource.” reads a security advisory published by Ormandy.
“Because do_popupregister() is never called, ftd_get_frameparenturl() just uses the last cached value in g_popup_url_by_tabid for the current tab. That means via some clickjacking, you can leak the credentials for the previous site logged in for the current tab.”
Ormandy published a step by step procedure to exploit the flaw and display the credentials provided to the previously visited website.
- Go to https://accounts.google.com, when prompted for password click the little “…” icon.
- Go to https://example.com
- Enter this in the console:
y = document.createElement("iframe"); y.height = 1024; y.width = "100%"; y.src="chrome-extension://hdokiejnpimakedhajhdlcegeplioahd/popupfilltab.html"; // or y.src="moz-extension://..."; // or y.src="ms-browser-extension://..."; document.body.appendChild(y); While this only shows for a Google password it doesn't say whether other oauths are affected
The expert explained that the bug is easy to exploit and required no other user interaction, the attacker could trick victims into visiting malicious pages to extract the credentials entered on previously-visited sites.
“Ah-ha, I just figured out how to do this google automatically, because compare_tlds(lp_gettld_url(a), lp_gettld_url(t)) succeeds for translate.google.com and accounts.google.com, but you can iframeuntrusted sites with translate.google.com, so the top url is irrelevant.” continues the expert.
“I think it’s fair to call this “High” severity, even if it won’t work for *all* URLs.”
At the time of writing, there is no news about the exploitation of this bug in attacks in the wild.
LastPass implements an auto-update process for both mobile apps and browser extensions, users that have disabled it for some reason have to perform a manual update.
As published here: https://securityaffairs.co/wordpress/91338/hacking/lastpass-credentials-leak.html