LastPass is a password-management site that allows users to effortlessly log into large numbers of sites without having to remember passwords. The company recently announced the close of a bug that would have allowed a website to take a user’s information from the last site they had visited.
Google Project Zero researcher, Tavis Ormandy, caught the bug and privately reported it to LastPass last month, and this past Sunday wrote a public article explaining the problem. It seems that under some circumstances, an HTML iframe that linked to Lastpass’ popupfilltab.html window caused the popup to open with a user’s password from his or her most recently visited site.
Problems Caused by the Bug
The vulnerability stems from the fact that LastPass’ popup procedure differs from the normal mechanism, using a function called do_popupregister(). Because the normal function is not utilized, the ftd_get_frameparenturl() function often used the last cached value for g_popup_url_by_tabid for the user’s open tab.
This would have left users open to clickjacking attacks. This class of attack conceals the true destination of a web link, making links to malicious sites appear safe. There are many ways that a black hat hacker might execute such an attack, including combining two domains into a single URL or using a routine called LP_iscrossdomainok(). This routine could allow the malicious actor to bypass standard security checks.
Responding to the Issue
LastPass moved swiftly to respond to the vulnerability Ormandy had disclosed. They published a fix last Friday that they believe will fully resolve the problem. However, the LastPass bug exposed a fatal flaw in password management sites, which are normally highly regarded by technology experts as a mechanism for maintaining online security.
These sites make it easy for users to create a truly unique password for each site, one generated by a basically random alphanumeric string that cannot be easily guessed. Password management sites paradoxically make successful hacking even more dangerous by exposing multiple sites — possibly including sensitive things like bank accounts and pensions.
Though the problem can be mitigated by employing two-factor or multi-factor authentication as often as possible, companies like LastPass also need to stay on their toes when resolving security bugs. Last Pass has run into security problems before, including a fingerprint verification issue and previous password vulnerabilities.
While LastPass works on their own vulnerabilities, the average consumer can turn to solutions like Secure Forensics. Our talented team of digital forensics experts has years of expertise finding security flaws and ending data breaches. We can not only restore lost data, but also track down who was responsible for a cyberattack, learn how the attack was performed, and take steps to rectify the problem.
Secure Forensics has served major clients in healthcare and education, as well as individual computer users. Our team is available to deploy anywhere in the world and can be reaches at 1-800-288-1407.