Tavis Ormandy, the popular white-hat hacker at Google Project Zero, has discovered a vulnerability in the LastPass password manager that exposes login credentials entered on a site previously visited by a user.
On September 12, 2019, LastPass has released an update to address the vulnerability with the release of the version 4.33.0.
“Hello, I noticed that you can create a popup without calling do_popupregister
“Because do_popupregister() is never called, ftd_get_frameparenturl() just uses the last cached value in g_popup_url_by_tabid for the current tab. That means via some clickjacking, you can leak the credentials for the previous site logged in for the current tab.”
Ormandy published a step by step procedure to exploit the flaw and display the credentials provided to the previously visited website.
y = document.createElement("iframe"); y.height = 1024; y.width = "100%"; y.src="chrome-extension://hdokiejnpimakedhajhdlcegeplioahd/popupfilltab.html"; // or y.src="moz-extension://..."; // or y.src="ms-browser-extension://..."; document.body.appendChild(y);
The expert explained that the bug is easy to exploit and required no other user interaction, the attacker could trick victims into visiting malicious pages to extract the credentials entered on previously-visited sites.
“Ah-ha, I just figured out how to do this google automatically, because compare_tlds(lp_gettld_url(a), lp_gettld_url(t)) succeeds for
“I think it’s fair to call this “High” severity, even if it won’t work for *all* URLs.”
At the time of
LastPass implements an
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.