LastPass patched a security vulnerability from the extensions generated on pop-up windows

Last week, the team behind LastPass, a password manager website, released an update to patch a security vulnerability that exposes credentials entered by the users on a previously visited site.

This vulnerability would let the websites steal credentials for the last account the user had logged into via Chrome or Opera extension. Tavis Ormandy, a security researcher at Google’s Project Zero discovered this bug last month.

The security vulnerability appeared on extensions from pop-up windows

Google Project Zero’s issue page, Ormandy explained that the flaw rooted from the extensions generated on the popup windows. In some cases, websites could produce a popup by creating an HTML iframe that was linked to the Lastpass popupfilltab.html window instead of calling the do_popupregister() function. In some of the cases, this unexpected method led the popups to open with a password for the most recently visited site.

https://twitter.com/taviso/status/1173401754257375232

According to Ormandy, an attacker can easily hide a malicious link behind a Google Translate URL and make users visit the link, and then extract credentials from a previously visited site.

Google’s Project Zero reporting site reads, "Because do_popupregister() is never called, ftd_get_frameparenturl() just uses the last cached value in g_popup_url_by_tabid for the current tab. That means via some clickjacking, you can leak the credentials for the previous site logged in for the current tab."

LastPass patched the reported issue in version 4.33.0 that was released on 12th September. According to the official blog post, the bug impacts its Chrome and Opera browser extensions. The bug is considered dangerous as it relies on executing malicious JavaScript code alone without the need for user interaction. Ormandy further added, “I think it’s fair to call this “High” severity, even if it won’t work for *all* URLs.”

Ferenc Kun, the security engineering manager for LastPass said in an online statement that this "limited set of circumstances on specific browser extensions" could potentially enable the attack scenario described.

Kun further added, "To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times."

LastPass recommends general security practices

The team at LastPass shared the following list of general security practices:

Users need to beware of phishing attacks, they shouldn’t click on links from untrusted contacts and companies.

The team advises the users to enable MFA for LastPass and other services like including email, bank, Twitter, Facebook, etc. Additional layers of authentication could prove to be the most effective way to protect the account.

Users shouldn’t reuse or disclose the LastPass master password.

Users should use unique passwords for every online account and run antivirus with the latest detection patterns and keeping their software up-to-date.