Password-Leaking Bug Purged From LastPass Extensions (arstechnica.com) 8
Developers of the LastPass password manager have patched a vulnerability that made it possible for websites to steal credentials for the last account the user logged into using the Chrome or Opera extension. Ars Technica reports: The vulnerability was discovered late last month by Google Project Zero researcher Tavis Ormandy, who privately reported it to LastPass. In a write-up that became public on Sunday, Ormandy said the flaw stemmed from the way the extension generated popup windows. In certain situations, websites could produce a popup by creating an HTML iframe that linked to the Lastpass popupfilltab.html window, rather than through the expected procedure of calling a function called do_popupregister(). In some cases, this unexpected method caused the popups to open with a password of the most recently visited site. "Because do_popupregister() is never called, ftd_get_frameparenturl() just uses the last cached value in g_popup_url_by_tabid for the current tab," Ormandy wrote. "That means via some clickjacking, you can leak the credentials for the previous site logged in for the current tab."
On Friday, LastPass published a post that said the bugs had been fixed and described the "limited set of circumstances" required for the flaws to be exploited. "To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times," LastPass representative Ferenc Kun wrote. "This exploit may result in the last site credentials filled by LastPass to be exposed. We quickly worked to develop a fix and verified the solution was comprehensive with Tavis."
On Friday, LastPass published a post that said the bugs had been fixed and described the "limited set of circumstances" required for the flaws to be exploited. "To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times," LastPass representative Ferenc Kun wrote. "This exploit may result in the last site credentials filled by LastPass to be exposed. We quickly worked to develop a fix and verified the solution was comprehensive with Tavis."
Duplicate Posting Bug Still in the Wild (Score:3)
Dude, it's the same DAY.
Re: (Score:3)
I legit thought I was in some kind of time loop. "Did I really read this exact submission this morning or was I somehow glimpsing the future?"
Re: (Score:3)
No lie. I read the original while at work (where I don't have the Lastpass extension), got home and was reading this snippet like "I SWEAR when I read this earlier they mentioned the version # that has the bug fixed . . .".
Slashdot purges bug that creates duplicate posts.. (Score:3)
...or did they?
Hilarious (Score:3)
Yes, the duplicate posting is funny, but the fact that your password manager is leaking your passwords is truly hilarious.
Re:Hilarious (Score:4, Interesting)
Re: Hilarious (Score:3)
Old Maxim:
If it runs in a web browser, it is insecure. No exceptions.
Re: (Score:2)
Old Maxim:
If it runs in a web browser, it is insecure. No exceptions.
Yep. I've yet to find a case where that isn't true.
Running code in a browser is like forcing a blindfolded person into a fireworks factory, giving them a lighter, and telling them to "be careful".