PINDROP BLOG

LastPass Patches Remote Compromise Flaw

LastPass has patched a remote compromise vulnerability disclosed this week by a Google researcher, a bug that could be used to gain full access to Firefox users’ LastPass data.

The vulnerability lies in the LastPass extension for Mozilla Firefox, and researcher Tavis Ormandy of Google, who discovered the bug, found that it could be used for a complete remote compromise of users. Ormandy disclosed the flaw to the maker of the popular password manager earlier this week, and the company has released a new version of the extension to fix the bug.

The flaw Ormandy discovered relates to the way the extension handles some iframes.

“<input> boxes are modified with some css, and a click event handler is added that instructs the addon to create a privileged iframe. A page can click the LastPass icon programatically with javascript by creating a MouseEvent() with the right x:y coordinates. Normally a page would not be permitted to navigate to a resource:// url, but this just asks the add-on to do it,” Ormandy said in his bug report.

“That should trick lastpass into processing an openURL command. This allows access to any of the privileged LastPass RPCs, so this is a complete compromise of the lastpass addon. From here an attacker can create and delete files, execute script, steal all passwords, log victims into their own lastpass account so that they can steal anything new saved there, etc, etc.”

LastPass on Wednesday pushed out a fix for Firefox users that addresses the vulnerability. The company said that an attacker would need to get a victim to visit a malicious site in order to exploit the vulnerability, something that’s not difficult to do.

“First, an attacker would need to successfully lure a LastPass user to a malicious website. Once there, Ormandy demonstrated that the website could then execute LastPass actions in the background without the user’s knowledge, such as deleting items,” LastPass said in a blog post.

The vulnerability does not affect people who use the Chrome, Safari, or other versions of the LastPass extension.

Webinar: Call Center Fraud Vectors & Fraudsters Analyzed