[BreachExchange] What should password managers not do? Leak your passwords? What a great idea, LastPass

Tue Mar 21 18:55:42 EDT 2017

https://www.theregister.co.uk/2017/03/21/lastpass_vulnerabilities/

Password vault LastPass has patched critical security flaws that malicious
websites could exploit to steal millions of victims' passphrases.

The programming cockup was spotted by Tavis Ormandy, a white-hat hacker on
Google's crack Project Zero security team. He found that the LastPass
Chrome extension had an exploitable content script that evil webpages could
attack to extract passwords from the manager.

LastPass works by storing your passwords in the cloud. It provides browser
extensions that connect to your LastPass account and automatically fill out
your saved login details when you surf to your favorite sites.

However, due to the discovered vulnerabilities, simply browsing a malicious
website would be enough to hand over your LastPass passphrases to
strangers. The weak LastPass script uncovered by Ormandy could be exploited
by tricking it into granting access to the manager's internal data. It can
also be potentially abused to execute commands on the victim's computer –
Ormandy demonstrated this by running calc.exe simply by opening a webpage.

"This script will proxy unauthenticated window messages to the extension.
This is clearly a mistake," Ormandy explained in a bug report today.

"This allows complete access to internal privileged LastPass RPC [remote
procedure call] commands. There are hundreds of internal LastPass RPCs, but
the obviously bad ones are things copying and filling in passwords
(copypass, fillform, etc)."

All that's needed to exploit the vulnerability are two simple lines of
JavaScript code, which Ormandy supplied:

win = window.open("https://1min-ui-prod.service.lastpass.com/");
win.postMessage({}, "*");

LastPass's fix for the Chrome extension issue was to quickly disable
1min-ui-prod.service.lastpass.com. The password manager developer has
experience with Ormandy after he found another flaw in its code last year
that could compromise a punter's passwords just by visiting the wrong
website.

"We greatly appreciate the work of the security community to challenge our
product and uncover areas that need improvement," said Joe Siegrist,
cofounder and VP of LastPass, told The Register.

"We have made our LastPass community aware of the report made by Tavis
Ormandy and have confirmed that the vulnerabilities have been fixed. We
were notified early on – our team worked directly with Tavis to verify the
report made, and worked quickly to issue the fix. As always, we recommend
that users keep their software updated to the latest versions."

And now its Firefox add-on

It has been a busy weekend for LastPass software engineers. Late last week,
Ormandy found another LastPass vulnerability, this time in its Firefox
extension. Again, the vulnerability could be exploited by malicious
webpages to extract passwords from the manager.

Wrote a quick exploit for another LastPass vulnerability. Only affects
version on https://t.co/lGcefN9YXM (3.3.2), report on way. ¯\_(ツ)_/¯
pic.twitter.com/AgjASiQMfJ

— Tavis Ormandy (@taviso) March 16, 2017

That extension bug has been addressed, we're told, but the security patch
won't be pushed out to people until the update is approved by Firefox-maker
Mozilla. "The team has already issued a patch to fix [version] 3.3.2 and
that updated version is currently in the Mozilla review process," a
LastPass spokeswoman said. She also said the 3.x branch of the add-on is
being retired, and people should move onto the version 4.x family.

As we've said in the past, keep your password managers up to date. They're
like any other software, and all software is exploitable.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170321/2559778e/attachment.html>