
A security vulnerability in the extension of LastPass password manager could have allowed stealing the credentials last used for logging into a website.
Exploiting the bug was possible in Google Chrome and Opera web browsers and required some effort to be successful since the target needed to go through several steps.
Not an easy one
Google security engineer Tavis Ormandy found that an attacker could create a valid clickjacking scenario for a user that has used LastPass to log into an account and direct them to a compromised or malicious website loaded with a specially created iframe.
In the vulnerability disclosure submitted to LastPass, the researcher details the technical aspect and how subsequent clickjacking can reveal the last credentials used by a victim.
He explains that the theft would be successful if all actions happened in the same tab, though. By placing into an iframe the popup prompting for a password fill, a step in the verification chain was skipped and the last cached value for the current tab would be leaked.
"That means via some clickjacking, you can leak the credentials for the previous site logged in for the current tab," Ormandy explains in the report to LastPass at the end of August.
After tinkering with the bug for a while, the researcher found a way to automate the credential leak on a Google website. Although the method may not work with all websites, Ormandy reckons that the bug has a high severity.
The researcher pointed out other issues discovered in LastPass that could be leveraged by an attacker. One of them is the possibility to generate arbitrary hotkey events due to lack of checking for trusted events.
Another problem allowed disabling multiple security checks, while a third one permitted bypassing several security-related verifications.
LastPass extensions updated
The makers of the password manager acknowledged the vulnerability and on Friday they published an advisory announcing that they resolved the bug.
The company notes that "while any potential exposure due to the bug was limited to specific browsers (Chrome and Opera), as a precaution, we’ve deployed the update to all browsers." The process is automated so users do not have to take any action.
Recommended best practices for LastPass users include the following:
- stay away from links from unknown individuals
- turn on multi-factor authentication (MFA) for all services that support the feature
- do not reuse or share the master password of your password manager
- create unique password for each online account
- run an antivirus solution that is up-to-date and keep software on your computer at the most recent version
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now