Friday, 10 July 2015

LastPass For Firefox Vulnerable To Password Theft

A vulnerability in the popular online password manager LastPass allows attackers to steal passwords. The problem was present in LastPass for Google Chrome and Internet Explorer, but it is solved. Only the Firefox version is currently still leak.

LastPass is a popular cloud service where users their passwords for various websites and services in a "safe" to store. The software comes in the form of an add-on for the browser. Security Researcher Matthew Bryant discovered that the browser extension is vulnerable to clickjacking. These attackers can "click" by a user hijack and use it for other purposes.

A malicious website can the window to automatically fill in passwords from an "overlay" feature and thus steal the password of users and which may be tempted to copy and paste their passwords. The attack only works on sites that do not use the X-Frame-Options header. This header can be used to determine whether a browser a page in a frame, iframe, and may display object. Websites can use the header to prevent their content on other websites is embedded, and prevent clickjacking attacks.


Bryant warned LastPass on April 3 this year. On April 22, the Chrome version of LastPass patched. Eventually there appeared an update for the IE version. Although LastPass developers also developed a patch for the Firefox version and put it to Mozilla, the patch is still not verified by Mozilla. Something that, according Bryant is the scariest of the leak. "It is worrying that require security updates for Mozilla add-ons months to reach the user. It has definitely changed my view on Firefox from a security perspective," he notes. For demonstration made the researcher video below.


The criticism of Bryant seems on reflection unfounded as there is on 24 April this year published an update to the Firefox version that measures have been taken to prevent the attack which the researcher describes. We've Bryant asked for comment that the problem is indeed in this version, with the number 1.3.95 is resolved.

Bryant states that the version offered by LastPass on the website is patched, but the version offered is still vulnerable through Users would then have to manually install the new version to be protected.

Bryant says that Mozilla Firefox approved the final version July 6, after his revelation and criticism had revealed the slow approval process on 1 July. In addition, it logs erroneously that the version would be available since April 24, while the end of June is still vulnerable version was offered.

No comments:

Post a Comment