LastPass has had to patch a flaw in one of its browser extensions that could have enabled hackers to steal passwords from users after visiting a malicious website.
LastPass is a popular password manager which stores encrypted passwords in private accounts. It offers free and paid-for versions.
Two vulnerabilities were found by seasoned security researcher Tavis Ormandy who works for Google's Project Zero.
According to a security advisory posted by Ormandy, the flaw affecting the LastPass Chrome extension works by attacking an intermediary JavaScript code between a browser and LastPass' cloud service, which stores user passwords.
“This script will proxy unauthenticated window messages to the extension. This is clearly a mistake,” he said in the advisory. “This allows complete access to internal privileged LastPass RPC commands. There are hundreds of internal LastPass RPCs, but the obviously bad ones are things copying and filling in passwords (copypass, fillform, etc).”
Ormandy developed proof-of-concept code that launches an application (in this case Windows Calculator), via this JavaScript code. The code could be altered to steal user passwords before they are populated in the browser's username and password fields.
“There are a lot of RPCs, allowing complete control of the LastPass extension, including stealing passwords. If you have the 'Binary Component' installed, this even allows arbitrary code execution,” added Ormandy.
LastPass tweeted that it had already fixed the issue reported by the Google researcher and would publish further details later.
A second bug affects LastPass's Firefox add-on version 3.3.2 only. According to Ormandy, this only affects LastPass' Firefox extension, version 3.3.2. As with the Chrome extension, the flaw can be exploited by malicious webpages to extract passwords from the manager. This version of the LastPass add-on is set to be retired by the firm.
Ormandy has also found a similar bug in LastPass version 4.1.35 for Firefox. The researcher is gaining quite a reputation in finding bugs with LastPass. In July last year, he discovered a flaw in LastPass that allowed remote code execution.
Barry Scott, CTO EMEA at Centrify, told SC Media UK that this is not the first, or last time, that password managers will face major security issues, but perhaps the biggest security concern is the users themselves.
“The fact remains that anyone using a password as the sole means of authentication to a website, whether at home or at work, is putting themselves (and their company) at risk. Even using complex passwords, users should always take advantage of multi-factor authentication (MFA) to protect the password with another layer of security, and if a particular site doesn't offer MFA, users should lobby the site to include the feature or move to another provider,” he said.
Dave Levy, associate partner at Citihub Consulting, told SC that password managers must be built with Kerckhoff's principle in mind. This means that “a secure system only requires the key/password to be secret and that the algorithms and code should thus be public and readable by users/customers”.
“In this way, they can be sure of what the code/product does, that there are no bugs and no backdoors,” he added.
