A flaw in LastPass password manager leaks credentials from previous site

An expert discovered a flaw in the LastPass password manager that exposes login credentials entered on a site previously visited by a user.

Tavis Ormandy, the popular white-hat hacker at Google Project Zero, has discovered a vulnerability in the LastPass password manager that exposes login credentials entered on a site previously visited by a user.

On September 12, 2019, LastPass has released an update to address the vulnerability with the release of the version 4.33.0.

“Hello, I noticed that you can create a popup without calling do_popupregister() by iframing popupfilltab.html (i.e. via moz-extension, ms-browser-extension, chrome-extension, etc). It’s a valid web_accessible_resource.” reads a security advisory published by Ormandy.

“Because do_popupregister() is never called, ftd_get_frameparenturl() just uses the last cached value in g_popup_url_by_tabid for the current tab. That means via some clickjacking, you can leak the credentials for the previous site logged in for the current tab.”

Ormandy published a step by step procedure to exploit the flaw and display the credentials provided to the previously visited website.

Go to https://accounts.google.com, when prompted for password click the little “…” icon.
Go to https://example.com
Enter this in the console:

y = document.createElement("iframe");
y.height = 1024;
y.width = "100%";
y.src="chrome-extension://hdokiejnpimakedhajhdlcegeplioahd/popupfilltab.html";
// or y.src="moz-extension://...";
// or y.src="ms-browser-extension://...";
document.body.appendChild(y);

The expert explained that the bug is easy to exploit and required no other user interaction, the attacker could trick victims into visiting malicious pages to extract the credentials entered on previously-visited sites.

“Ah-ha, I just figured out how to do this google automatically, because compare_tlds(lp_gettld_url(a), lp_gettld_url(t)) succeeds for translate.google.com and accounts.google.com, but you can iframe untrusted sites with translate.google.com, so the top url is irrelevant.” continues the expert.

“I think it’s fair to call this “High” severity, even if it won’t work for *all* URLs.”

At the time of writing, there is no news about the exploitation of this bug in attacks in the wild.

LastPass implements an auto-update process for both mobile apps and browser extensions, users that have disabled it for some reason have to perform a manual update.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – LastPass, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.