|
|
LastPass: domain regex doesn't handle data and other pseudo-url schemes | ||
| Project Member Reported by taviso@google.com, Mar 16 2017 | Back to list | ||
I previously found a design flaw in lastpass that affected the 4.x branch of lastpass ( issue 884 ). They confirmed the vulnerability, but explained that most of their users use an older branch from addons.mozilla.org. I took a look at the addons.mozilla.org version (3.3.2 as of this writing), and noticed that they hadn't fixed this old regex vulnerability properly: https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/ Apparently this vulnerability was originally reported in 2015, but their fix was incomplete, because you can still make it match something like "data:,.twitter.com/foo". Exploitation is not trivial because of the weird context, but I made a quick demo that can steal your twitter password. In fact, with some simple clickjacking, you can also steal it if you don't enable autofill. Demo attached, it probably requires a lot of tweaking to be reliable. This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public.
Comment 1
Deleted
,
Mar 17 2017
I uploaded a demo that works without autofill here. https://lock.cmpxchg8b.com/Yuk3fota/lastpass.html It's pretty silly, but you get the idea.
,
Mar 21 2017
,
Mar 22 2017
It looks like LastPass 3.3.4 is now live on addons.mozilla.org, and contains the fix. https://addons.mozilla.org/en-Us/firefox/addon/lastpass-password-manager/versions/ Firefox users should be automatically updated to the latest version. Marking fixed. |
|||
| ► Sign in to add a comment | |||
