In July 2016, Ormandy found a similar bug that allowed attackers to extract passwords from LastPass. Below is a screenshot of the second bug in action, while a demo page for the third issue is here. Just like the Chrome extension issue, the exploitation vector for these two issues is malicious JavaScript code that can be hidden in any online website, owned by the attacker or via a compromised legitimate site. The LastPass Chrome and Firefox extensions don't use the same version numbers, and the v3 on Firefox is the stable branch.
LastPass told Ormandy that version 3.3.2 is their most popular version.ĭespite this, two weeks ago, LastPass announced they were retiring the LastPass Firefox add-on v3.3.2 because of Firefox's future plans to drop the old Add-ons API and move to a new system they call WebExtensions. The second and third bugs Ormandy discovered affect the LastPass Firefox add-on version 3.3.2 only. On Twitter, LastPass said they already fixed the issue reported by Ormandy in the Chrome extension and later published a blog post with more details about all issues. LastPass users are exposed to simple attack vectors, as attackers can host the weaponized code as a regular JS script on a website. This PoC code can be altered to steal user passwords before they are copied and filled inside username and password fields. All OS platforms are affected, not just Chrome on Windows. Ormandy put together proof-of-concept code that executes code on a user's machine via this intermediary script and launches an instance of the Windows Calculator.
If you have the 'Binary Component' installed, this even allows arbitrary code execution." "There are a lot of RPCs, allowing complete control of the LastPass extension, including stealing passwords. "It's possible to proxy untrusted messages to LastPass 4.1.42 due to a bug, allowing websites to access internal privileged RPCs (Remote Procedure Calls). The vulnerability affecting the LastPass Chrome extension can be exploited by attacking an intermediary JS script that stands between the user's browser and the LastPass cloud service, where the company stores user passwords. One bug affected the LastPass for Chrome extension, while the other two affected the company's Firefox add-on. LastPass patched three separate bugs that affected its Chrome and Firefox browser extensions, which if exploited, would have allowed a third-party to extract passwords from users visiting a malicious website.Īll bugs were discovered by Tavis Ormandy, a security researcher working for Google's Project Zero.
0 kommentar(er)
