Tavis Ormandy, the popular white-hat hacker at Google Project Zero, has discovered a vulnerability in the LastPass password manager that exposes login credentials entered on a site previously visited by a user.
On September 12, 2019, LastPass has released an update to address the vulnerability with the release of the version 4.33.0.
“Hello, I noticed that you can create a popup without calling do_popupregister
“Because do_popupregister() is never called, ftd_get_frameparenturl() just uses the last cached value in g_popup_url_by_tabid for the current tab. That means via some clickjacking, you can leak the credentials for the previous site logged in for the current tab.”
Ormandy published a step by step procedure to exploit the flaw and display the credentials provided to the previously visited website.
y = document.createElement("iframe"); y.height = 1024; y.width = "100%"; y.src="chrome-extension://hdokiejnpimakedhajhdlcegeplioahd/popupfilltab.html"; // or y.src="moz-extension://..."; // or y.src="ms-browser-extension://..."; document.body.appendChild(y);
The expert explained that the bug is easy to exploit and required no other user interaction, the attacker could trick victims into visiting malicious pages to extract the credentials entered on previously-visited sites.
“Ah-ha, I just figured out how to do this google automatically, because compare_tlds(lp_gettld_url(a), lp_gettld_url(t)) succeeds for
“I think it’s fair to call this “High” severity, even if it won’t work for *all* URLs.”
At the time of
LastPass implements an