In the span of 24 hours, two security researchers separately acknowledged the discovery of serious security vulnerabilities in the password management service LastPass. The first enabled remote code execution and was fixed earlier today; the second was patched over a year ago, but previously could have been exploited to steal stored credentials. Both were exploitable by luring a potential victim to a malicious website via a phishing attack.
Tavis Ormandy of Google's Project Zero initiative found the newer flaw, describing it last night on his Twitter page as a “complete remote compromise.” LastPass, which allows users to store and encrypt their passwords for any website requiring log-in credentials (Facebook, Gmail, Amazon, you name it), provided even more details in a blog post today, describing the flaw as a message-hijacking bug affecting LastPass's Firefox add-on.
The vulnerability could have allowed bad actors to lure users to a malicious site capable of executing LastPass actions secretly in the background, including the deletion of items. Today, the password service provider pushed a fix for all Firefox users who subscribe to LastPass version 4.0.
Late Wednesday, Ormandy posted the disclosure report he sent to LastPass, in which he described the vulnerability as a “design flaw in communication between privileged and unprivileged components.” This flaw could have allowed an attacker to use fraudulent mouse clicks to trick LastPass into creating a privileged iframe (an HTML document embedded within another HTML document) capable of communicating with the Firefox add-on.
“The frame communicates with the add-on by posting messages to the window, and an eventhandler on the window determines if it's trusted or not by checking the origin. But that does not make sense, because the window belongs to the attacker so they can just insert their own eventhandler before yours and modify legitimate messages!” wrote Ormandy in the report.
The malicious iframe could have then asked the addon to process openURL commands, which ultimately would have granted the bad actor access to privileged LastPass Remote Procedure Calls protocols that grant the ability to perform any number of functions, including creating and deleting files and stealing passwords.
Ormandy also promised on Twitter to look into competing password service 1Password. Neither Ormandy nor Google responded to requests for an interview.
The other flaw was a URL parsing bug that resided in LastPass' auto-fill functionality, which is designed to automatically enter users' stored passwords into websites' log-in forms. Bad actors could have exploited this vulnerability by sending victims to a malicious website capable of tricking a LastPass browser extension into thinking users were visiting sites they actually weren't. This scenario would trigger LastPass' auto-fill functionality – provided it was enabled – to reveal a victim's credentials for whatever site he was supposedly visiting, allowing an attacker to extract the data.
That vulnerability was discovered by Detectify Labs Security Researcher Mathias Karlsson, who told SCMagazine.com in an interview that this "could all be done in the background, so as long as you click on the link, you wouldn't really know that the passwords were stolen."
Karlsson said he “actually didn't spend more than a few hours” investigating LastPass before finding the bug. “I would say that it was a little bit lucky because I found it in the first part of the code that I looked at,” he added.
LastPass pushed a fix for this issue less than a day after it was originally reported over a year ago. Still, Karlsson recommends that users of password management services eschew auto-fill features if possible.
“As always, we appreciate the work of the security community to challenge our product and ensure we deliver a secure service for our users,” according to a statement that LastPass provided to SCMagazine.com “Our team worked directly with the security researchers to verify the reports made and worked quickly to issue a fix for LastPass users."
UPDATE: This story has been updated to include additional vulnerability details supplied by Tavis Ormandy.