It’s a bad week to be an engineer at LastPass. The maker of a popular password manager has just fixed a serious vulnerability that allowed attackers to steal users’ stored passwords, and now another researcher has found a separate bug that he says allows full remote compromise of LastPass.
On Wednesday, researcher Mathias Karlsson disclosed a vulnerability he found in LastPass that enabled him to trick the browser extension into giving up all of a victim’s passwords. That bug lies in the way that the extension parses URLs, and Karlsson found that by constructing URLs in a certain manner, he could get the LastPass extension to reveal a user’s credentials on a given target site.
“The bug that allowed me to extract passwords was found in the autofill functionality. First, the code parsed the URL to figure out which domain the browser was currently at, then it filled any login forms with the stored credentials. However, the URL parsing code was flawed,” Karlsson said in a post.
“By browsing this URL: https://firstname.lastname@example.orgemail@example.com the browser would treat the current domain as avlidienbrunn.se while the extension would treat it as twitter.com. Since the code only URL encodes the last occurence of @, the actual domain is treated as the username portion of the URL.”
“Yes, it’s a complete remote compromise.”
The LastPass extension will then fill in the user’s credentials on the target site. Karlsson said he could then go to other sites and gather a user’s credentials in the same way. He reported the vulnerability to LastPass, which has fixed it already.
But there’s another major vulnerability looming, and it seems to be at least as serious as the one Karlsson found. Travis Ormandy of Google on Tuesday night said that he had discovered a vulnerability in LastPass that allows a remote attacker to completely compromise the machine.
“Full report sent to LastPass, they’re working on it now. Yes, it’s a complete remote compromise,” Ormandy said on Twitter.
Ormandy hasn’t revealed the exact details of the vulnerability he found, but he has been researching bugs in security software in the last few months and has found an alarming number of critical flaws in applications from Symantec, Kaspersky Lab, and several other security companies.