New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Mar 2017
Cc:



Sign in to add a comment

LastPass: domain regex doesn't handle data and other pseudo-url schemes

Project Member Reported by taviso@google.com, Mar 16 2017

Issue description

I previously found a design flaw in lastpass that affected the 4.x branch of lastpass (issue 884). They confirmed the vulnerability, but explained that most of their users use an older branch from addons.mozilla.org.

I took a look at the addons.mozilla.org version (3.3.2 as of this writing), and noticed that they hadn't fixed this old regex vulnerability properly:

https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/

Apparently this vulnerability was originally reported in 2015, but their fix was incomplete, because you can still make it match something like "data:,.twitter.com/foo".

Exploitation is not trivial because of the weird context, but I made a quick demo that can steal your twitter password. In fact, with some simple clickjacking, you can also steal it if you don't enable autofill. Demo attached, it probably requires a lot of tweaking to be reliable.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

 
Windows 7-2017-03-15-19-24-54.png
88.0 KB View Download

Comment 1 Deleted

Project Member

Comment 2 by taviso@google.com, Mar 17 2017

I uploaded a demo that works without autofill here.

https://lock.cmpxchg8b.com/Yuk3fota/lastpass.html

It's pretty silly, but you get the idea.


Project Member

Comment 3 by taviso@google.com, Mar 21 2017

Cc: dved...@mozilla.com
Project Member

Comment 4 by taviso@google.com, Mar 22 2017

Labels: -Restrict-View-Commit
Status: Fixed (was: New)
Summary: LastPass: domain regex doesn't handle data and other pseudo-url schemes (was: LastPass: domain regex doesn't handle data/blob/etc schemes )
It looks like LastPass 3.3.4 is now live on addons.mozilla.org, and contains the fix.

https://addons.mozilla.org/en-Us/firefox/addon/lastpass-password-manager/versions/

Firefox users should be automatically updated to the latest version.

Marking fixed.

Sign in to add a comment