The LastPass password manager extension for some browsers had a serious vulnerability that, under some specific circumstances, would leak the credentials for the last site the user visited.
The vulnerability affects the Lastpass extension for Chrome and Opera and it arises from the way that the extension produces pop-up windows in some cases. Security researcher Tavis Ormandy of Google’s Project Zero discovered the bug and reported it to LasPass, which released version 4.3.3 of the extension on Sept. 12 to fix it. Ormandy discovered that the browser extension doesn’t call a specific function, which means the extension will fill a new tab with the credentials that were used on the last site.
“Because do_popupregister() is never called, ftd_get_frameparenturl() just uses the last cached value in g_popup_url_by_tabid for the current tab. That means via some clickjacking, you can leak the credentials for the previous site logged in for the current tab,” Ormandy said in his bug report.
Exploiting the bug would require several steps, but the process isn’t overly complicated. Ormandy found that an attacker could get around the LastPass extension’s prompt if he tried to clickjack or copy and paste the credentials into the popup.
“This will prompt if you try to clickjack filling in or copying credentials though, because frame_and_topdoc_has_same_domain() returns false. This is possible to bypass, because you can make them match by finding a site that will iframe an untrusted page. Google will do this, for example,” he said.
LastPass has fixed the vulnerability and pushed an update that will install automatically for users of the browser extension. The update applies to all versions of the extension, although only the Chrome and Opera versions were affected by the vulnerability.
“To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times. This exploit may result in the last site credentials filled by LastPass to be exposed. We quickly worked to develop a fix and verified the solution was comprehensive with Tavis,” Ferenc Kun of LastPass said in a post on the flaw.
Vulnerabilities in password managers such as LastPass or 1Password tend to attract quite a bit of attention, and for good reason. Many enterprises rely on them to store sensitive credentials that could be quite damaging if they leaked. But password managers generally are still a safer option for most environments than storing passwords in the browser or rotating through a list of easy-to-remember passwords.