I reported this to LastPass through their responsible disclosure page and the report was handled very professionally. After that I could simply go through other commonly used sites and extract credentials for those too. Too bad to be true?īelow you see that the extension would fill my form with the stored credentials for. Since the code only URL encodes the last occurence of the actual domain is treated as the username portion of the URL. Var fixedURL = & (url = url.substring(0, fixedURL.length) + "%40")) īy browsing this URL: the browser would treat the current domain as while the extension would treat it as. This was the code (lpParseUri function, un-minified): However, the URL parsing code was flawed (bug in URL parsing? shocker!). First, the code parsed the URL to figure out which domain the browser was currently at, then it filled any login forms with the stored credentials. The bug that allowed me to extract passwords was found in the autofill functionality. A few cups of coffee later, I found something that looked really, really bad. I started by noticing that the extension added some HTML code to every page I visited, so I decided to dig into how that worked. Sounds too bad to be true? That’s what I thought too before I decided to check out the security of the LastPass browser extension.įor those who don’t know, LastPass is one of the world’s most popular password managers. Stealing all your passwords by just visiting a webpage. Note: This issue has already been resolved and pushed to the Lastpass users.
0 Comments
Leave a Reply. |