LastPass Vulnerability Revealed

Apr. 6, 2017  |  By Yacin Nadji

It happened. An exploit of the popular password manager LastPass was revealed. The bug -- released by Tavis Ormandy, of Google Project Zero fame -- relied on "consumer onboarding features" that allowed unauthenticated access to the LastPass API. Consequently, an attacker could trick users of a LastPass extension on Chrome, Firefox, or Edge to visit a malicious page that would reveal a user's password for any website. To make matters worse, if a user had installed a helper binary, which enables features like fingerprint authentication and sharing login state between browsers, the vulnerability allowed remote code execution (RCE). A band-aid was quickly applied, removing the DNS record for the offending domain, and the vulnerability since has been patched.

IISP Analyst Yacin Nadji: “The bug itself seems no more than a mistake, but it raised some interesting issues with respect to usability, and the quick fix. First, this struck me as a classic example of how pushing for usability and integrating across systems (in this case, the browser and the underlying OS) can increase the attack surface and lead to security problems down the road. Clearly the binary extension (installed by 10% of their user base) makes the software more usable, but the cost was RCE when a vulnerability was found. Ormandy himself recommended using KeePass, which doesn't come with browser plugins -- arguably making the software much less user-friendly.

Second, the quick fix was to remove the DNS record for the domain needed to resolve to launch the attack, which was under the control of LastPass. Essentially, if the attack was attempted, the DNS resolution process would return NXDOMAIN and the request necessary for the exploit would not continue. This, however, ignores situations where the domain would resolve anyway, such as under ISPs or Enterprises that do NXDOMAIN rewriting in proxies, or user's being subjected to a man-in-the-middle attack. This was disclosed in Ormandy’s bug report, but it seems that particular issue was not conveyed properly. All said, they quickly solved the issue on the server-side.

For concerned readers, don't let this dissuade you from using a password manager, but be wary of installing components that may unnecessarily increase your attack surface."


For further reading


More by the author(s)