Monorail Project: project-zero Issues People Development process History Sign in
New issue
Advanced search Search tips
Starred by 1 user
Status: Fixed
Owner:
Closed: Mar 22
Cc:



Sign in to add a comment
LastPass: domain regex doesn't handle data and other pseudo-url schemes
Project Member Reported by taviso@google.com, Mar 16 Back to list
I previously found a design flaw in lastpass that affected the 4.x branch of lastpass ( issue 884 ). They confirmed the vulnerability, but explained that most of their users use an older branch from addons.mozilla.org.

I took a look at the addons.mozilla.org version (3.3.2 as of this writing), and noticed that they hadn't fixed this old regex vulnerability properly:

https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/

Apparently this vulnerability was originally reported in 2015, but their fix was incomplete, because you can still make it match something like "data:,.twitter.com/foo".

Exploitation is not trivial because of the weird context, but I made a quick demo that can steal your twitter password. In fact, with some simple clickjacking, you can also steal it if you don't enable autofill. Demo attached, it probably requires a lot of tweaking to be reliable.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

 
Windows 7-2017-03-15-19-24-54.png
88.0 KB View Download
Comment 1 Deleted
Project Member Comment 2 by taviso@google.com, Mar 17
I uploaded a demo that works without autofill here.

https://lock.cmpxchg8b.com/Yuk3fota/lastpass.html

It's pretty silly, but you get the idea.


Project Member Comment 3 by taviso@google.com, Mar 21
Cc: dved...@mozilla.com
Project Member Comment 4 by taviso@google.com, Mar 22
Labels: -Restrict-View-Commit
Status: Fixed
Summary: LastPass: domain regex doesn't handle data and other pseudo-url schemes (was: LastPass: domain regex doesn't handle data/blob/etc schemes )
It looks like LastPass 3.3.4 is now live on addons.mozilla.org, and contains the fix.

https://addons.mozilla.org/en-Us/firefox/addon/lastpass-password-manager/versions/

Firefox users should be automatically updated to the latest version.

Marking fixed.
Sign in to add a comment