Note: This issue has already been resolved and pushed to the Lastpass users.
Stealing all your passwords by just visiting a webpage. Sounds too bad to be true? That’s what I thought too before I decided to check out the security of the LastPass browser extension.
For those who don’t know, LastPass is one of the world’s most popular password managers.
I started by noticing that the extension added some HTML code to every page I visited, so I decided to dig into how that worked. A few cups of coffee later, I found something that looked really, really bad.
The bug that allowed me to extract passwords was found in the autofill functionality. First, the code parsed the URL to figure out which domain the browser was currently at, then it filled any login forms with the stored credentials.
However, the URL parsing code was flawed (bug in URL parsing? shocker!).
This was the code (lpParseUri function, un-minified):
var fixedURL = URL.match(/^(.*:\/\/[^\/]+\/.*)@/); fixedURL && (url = url.substring(0, fixedURL.length) + url.substring(fixedURL.length).replace(/@/g, "%40"));
By browsing this URL: http://email@example.comfirstname.lastname@example.org the browser would treat the current domain as avlidienbrunn.se while the extension would treat it as twitter.com. Since the code only URL encodes the last occurence of @, the actual domain is treated as the username portion of the URL.
Too bad to be true?
Below you see that the extension would fill my form with the stored credentials for twitter.com. After that I could simply go through other commonly used sites and extract credentials for those too.
I reported this to LastPass through their responsible disclosure page and the report was handled very professionally. The fix was pushed in less than a day(!), and they even awarded me with a bug bounty of $1,000.
Are passwords managers bad?
Should we stop using password managers? No. They are still much better than the alternative (password reuse).
Although, taking a second to disable autofill functionality is a good move because this isn’t the first autofill bug we’ve seen, and I doubt it will be the last.
Also, this would not work if multi factor authentication was on, so you should probably enable that as well.
Update #1 2016.07.28: There has been a lot of comments regarding the reward Mathias received from Lastpass. At the time Mathias submitted this they didn’t have a bug bounty so he was more than satisfied with $1,000.
Update #2 2016.07.28: Lastpass have made a comment regarding Mathias finding on their blog.