New issue
Advanced search Search tips

Issue 1188 link

Starred by 1 user

Issue metadata

Status: Fixed
Closed: Mar 2017

Sign in to add a comment

LastPass: domain regex doesn't handle data and other pseudo-url schemes

Project Member Reported by, Mar 16 2017

Issue description

I previously found a design flaw in lastpass that affected the 4.x branch of lastpass (issue 884). They confirmed the vulnerability, but explained that most of their users use an older branch from

I took a look at the version (3.3.2 as of this writing), and noticed that they hadn't fixed this old regex vulnerability properly:

Apparently this vulnerability was originally reported in 2015, but their fix was incomplete, because you can still make it match something like "data:,".

Exploitation is not trivial because of the weird context, but I made a quick demo that can steal your twitter password. In fact, with some simple clickjacking, you can also steal it if you don't enable autofill. Demo attached, it probably requires a lot of tweaking to be reliable.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

Windows 7-2017-03-15-19-24-54.png
88.0 KB View Download

Comment 1 Deleted

Project Member

Comment 2 by, Mar 17 2017

I uploaded a demo that works without autofill here.

It's pretty silly, but you get the idea.

Project Member

Comment 3 by, Mar 21 2017

Project Member

Comment 4 by, Mar 22 2017

Labels: -Restrict-View-Commit
Status: Fixed (was: New)
Summary: LastPass: domain regex doesn't handle data and other pseudo-url schemes (was: LastPass: domain regex doesn't handle data/blob/etc schemes )
It looks like LastPass 3.3.4 is now live on, and contains the fix.

Firefox users should be automatically updated to the latest version.

Marking fixed.

Sign in to add a comment