from Hacker News

LastPass autofill exploit

by detectify on 7/27/16, 9:38 AM with 420 comments

  • by cyberpanther on 7/27/16, 12:25 PM

    Great catch and everyone should know there is an easy way to parse URLs in JS. Just create an anchor element and let the browser parse it for you. Like so:

    var parser = document.createElement('a');

    parser.href = "http://example.com:3000/pathname/?search=test#hash";

    parser.protocol; // => "http:"

    parser.hostname; // => "example.com"

    parser.port; // => "3000"

    parser.pathname; // => "/pathname/"

    parser.search; // => "?search=test"

    parser.hash; // => "#hash"

    parser.host; // => "example.com:3000"

  • by mcs on 7/27/16, 10:13 AM

    Please correct me if I am mistaken, but couldn't this have been implemented into an iframe that when ran could send the passwords to another remote server?

    If so, I am a little taken back by LastPass only offering $1,000 to the researcher that found and reported it for fixing. He or she could have taken a different path and resulted in this being used in some complex targeted attack against tech corporations via short-url redirect interstitial pages, or an ad network's javascript, etc. Given the potential damage, I'd say there is a missing zero or two on that reward amount, in my opinion.

  • by ktta on 7/27/16, 10:16 AM

    I've been using LastPass for about 3 years, and now I'm seriously thinking about all the times people told me about how storing passwords in someone else's cloud is bad.

    I've been defending LastPass and recommending it to everyone till today. Now I'm thinking about how I might have to 'pay' for a software vulnerability in some private (read:unauditable by me) code. All the comments about offline, local backups make sense to me.

    But the points I usually make are still valid, like:

    1. I can go to any computer with chrome and get access to all my passwords, so don't have to carry my passwords with me everywhere.

    2. Don't have to worry about storing passwords properly since lastpass is a good company and they know their stuff about protecting the customers' data.

    3. Password capture. It might seem like a tiny feature, but I'm too lazy to remember opening an app and entering my credentials whenever I create an account or login into an old account.

    4. Mobile login, although a paid feature, this really changes my life. If I don't trust a computer enough to login via chrome or something else, or want my secret notes, I just open up my phone.

    But all the above features meaning nothing when it comes to the chance of compromising all my passwords (except bank info, of course)

    I'd like to hear the thoughts of anyone else who uses lastpass and what they think.

  • by viraptor on 7/27/16, 10:00 AM

    It looks like there's more interesting stuff coming in soon: https://twitter.com/taviso/status/758074702589853696

    (to save a click: Tavis Ormandy: "Are people really using this lastpass thing? I took a quick look and can see a bunch of obvious critical problems. I'll send a report asap.")

  • by avolcano on 7/27/16, 10:01 AM

    I'm generally very sympathetic to regex bugs (especially in a language like JavaScript where you don't get nice expanded multiline regexes with comments), but I am wondering why they went with a regex in the first place. Did they decide `document.location.host` was too brittle for some reason?

  • by jacobsladder on 7/27/16, 5:04 PM

    $1000 for the bug bounty? This is incredibly stupid! How can you make a living off that? You could make hundreds of thousands of US$ from exploiting this. You could sell it on the black market. I am surprised that most of the corporations, even respectable ones, are awarding peanuts for something that is so important to their business process. This makes my blood boil. I operate a small business website and I awarded $3k just because someone found a way to brute force passwords without getting rate limited. This is quite simply unacceptable.

    I think the company should have paid $100,000.

  • by punjabisingh on 7/27/16, 5:06 PM

    It's confusing that the LastPass site is claiming only Firefox is impacted. [1] Whereas the security researcher's site (detectify.com) shows the vulnerability running in Chrome. [2]

    Furthermore, the current live version on Firefox addons repository is 3.x [3], which the LastPass team claims is not vulnerable. [1]

    [1] https://blog.lastpass.com/2016/07/lastpass-security-updates.... [2] https://labs.detectify.com/2016/07/27/how-i-made-lastpass-gi... [3] https://addons.mozilla.org/en-US/firefox/addon/lastpass-pass...

  • by xur17 on 7/27/16, 3:55 PM

    The end of this article mentions that "Also, this would not work if multi factor authentication was on, so you should probably enable that as well."

    Does anyone know why that is the case? It seems like this exploit is just taking advantage of the js that autofills forms on the page based on domain. You can still use autofill if you have multifactor enabled.

  • by lukasm on 7/27/16, 12:29 PM

    Another regex bug what a surprise. Do not store whole password in LastPass. To mitigate this kind of attack I store only part of it on LastPass. The full password is <last_pass_generated_password> + <few_char_nonce_that_I_know_how to_generate_in_my_head> + <short_password_stored_in_my_head>

    It's just a tiny overhead to my workflow.

  • by yonilevy on 7/27/16, 3:04 PM

    The autofill feature starts sounding like the benefit isn't worth the risk. It's kind of odd when thinking about it, that my passwords can be decrypted without me explicitly asking for them. I hope there aren't other mechanisms aside from autofill that allow that. While we're here - is there a way to disable autofill in LastPass entirely?

  • by 0xmohit on 7/27/16, 10:44 AM

    One should really consider using open source tools for such things. The good thing is that those are battle-tested real well and are, usually, more secure than the commercial offerings.

    An example is Vault [0].

    Encryptr [1] is another alternative: it claims that "all of your data will be saved in encrypted format in our Zero Knowledge [2] cloud".

    [0] https://github.com/hashicorp/vault

    [1] https://spideroak.com/solutions/encryptr

    [2] https://spideroak.com/features/zero-knowledge

  • by zouhair on 7/27/16, 10:13 AM

    People trusting a third party for their passwords boggles my mind.

  • by baby on 7/27/16, 1:47 PM

    Does someone understand the snippet?

      var fixedURL = URL.match(/^(.*:\/\/[^\/]+\/.*)@/);

  fixedURL && (url = url.substring(0, fixedURL[1].length) + url.substring(fixedURL[1].length).replace(/@/g, "%40"));
    It looks like:

    * fidexURL is whatever is after :// and up until the very last @ (greediness)

    * the second line fixedURL && is going to complete if fixedURL is not undefined

    * url = this fixedURL, then the rest of it where @ was replaced by %40

    so basically, entering http://avlidienbrunn.se/@twitter.com/@hehe.php will give

    url = avlidienbrunn.se/@twitter.com/%40hehe.php

    if I understand correctly. What happens after?

    EDIT: it must be that the last [^/.]* before @ is taken as the domain name. But why splitting the URL before a @ sign? I'm confused

  • by danr4 on 7/27/16, 3:20 PM

    Only one person mentioned it, so I'll pitch in - Dashlane [1] is a great password manager, and it's communication with their customers is top notch (customer service and security wise [1]). Speaking as a humble premium user which thinks they don't get enough credit.

    [1] https://www.dashlane.com/download/Dashlane-Security-Whitepap...

  • by pdxpatzer on 7/27/16, 3:15 PM

    I am using PasswordSafe ( pwsafe.org ) and Dropbox to sync to the cloud. I do not use autofill, nor I asked my browser to manage my passwords. There are a mix of opensource and commercial implementation covering all platforms (iOS, Android and what not). PasswordSafe has also been audited.

    Why isn't PasswordSafe more popular ? What do other password managers have that Password Safe does not ?

  • by archangel11235 on 7/27/16, 7:34 PM

    The link says that the issue has been resolved, but does it not mean that before the fix, passwords could have been leaked? If so, should one be updating all their stored passwords? I'm not sure if this has been discussed in the comments here. There are 342 comments at this time; haven't read all of them.

  • by PeterWhittaker on 7/27/16, 1:48 PM

    From TFA: Note: This issue has been already been resolved and pushed to the Lastpass users.

    The open questions are a) how long the flaw existed prior to being fixed and b) whether attackers were able to exploit the flaw.

  • by dkopi on 7/27/16, 10:34 AM

    Seems like the fan is about to get hit again:

    http://www.zdnet.com/article/lastpass-zero-day-vulnerability...

  • by pmarreck on 7/27/16, 2:46 PM

  • by mohsinr on 7/27/16, 1:32 PM

    LastPass user here, thanks for getting this fixed. For any other bug/attack like this in future, I suggest we uncheck this option: "Automatically Fill Login Information" in preferences tab. Will this would have helped in case of this attack? Or information still would have been leaked?

  • by tombert on 7/27/16, 1:28 PM

    I never fully trusted any centralized password managers. Since I'm a paranoid goober, I've ended up dumping LastPass and using the Unix "pass" tool.

    Anyway, I'm glad that LastPass has resolved this; last thing I want in the news is another big password breach.

  • by pbininda on 7/27/16, 9:58 AM

    If I read this article correctly, the headline should actually be: How I made LastPass give me all MY passwords

    Update: after a few answers to my badly thought through comment, I now feel enlightened. The attack scenario is a malicious web site which can gobble up my passwords. Thanks

  • by paulmd on 7/27/16, 7:04 PM

    Honestly you should not be running a password manager that directly ties into your browser. Period. It's an unnecessary attack surface on a high-value target.

    Running as a separate application outside the browser is 95% as easy thanks to auto-type.

  • by dkersten on 7/27/16, 10:43 AM

    Its been recommended (at least as long as I've been using Lastpass, so a few years) that you keep autofill disabled, for exactly the reason mentioned in the article.

    "Also, this would not work if multi factor authentication was on, so you should probably enable that as well."

    If you have something as important as a password manager (ie something that holds the keys to ... everything), then MFA is a must. If you use LastPass without MFA, then you're probably asking for trouble.

  • by JustUhThought on 7/29/16, 2:37 PM

    Given LastPass has pretty much one job to do, protect your passwords, I feel they should refund subscribers' money (a month or several months) everytime it's shown they haven't done their job. It's gotten to the point of being ridiculous how often I've come to HN and seen some new LastPass exploit. Once your password is compromised you could lose everything up till that point in time which was protected by that password. All your money in your bank account. All your photos in the cloud. The confidentiality of your IP. The secrecy of something in your personal life. In other words, it is accumulative. So really, if due to poor engineering on LastPass's behalf, if you loose it all at any point, you've really only been investing in a time bomb. You're making monthly investments in something growning more valuable each day until the day arrrives at which the value could drop to zero. Or worse, drop to zero and cost you. But LastPass seems to treat security issues as non-accumulative costs. Because for them, it isn't accumulative. They keep collecting subscription fees, adding new features, advertising to reach new customers, and maintaining a fundamentally broken product.

  • by mmaunder on 7/27/16, 11:19 PM

    Tavis Ormandy tweeted yesterday that he found something:

    https://twitter.com/taviso/status/758143119409885185

    Tavis has made quite a name for himself lately by going after AV vendors with no mercy. So when he tweeted, the community sat up and took notice. (Our own Slack was busy with discussion about this today)

    Mathias, author of this post replied to Tavis with this:

    https://twitter.com/avlidienbrunn/status/758232557829914624

    The fix for the detectify exploit has already been pushed to users, so I'm guessing they were holding onto this public disclosure but Tavis putting his sights on lastpass too caused them to move the schedule up a little.

    And the exploit from Tavis from 4 hours ago:

    https://bugs.chromium.org/p/project-zero/issues/detail?id=88...

  • by sergioisidoro on 7/27/16, 4:22 PM

    Last pass also has a flaw on 2Fa. They cache local copies of the encrypted files, and the auto-fill populates the fields after password, before promoting 2fa.

    It does erase the fields and promoted 2fa, but passwords are available briefly.

    I Sent a ticket to their supportthey, they acknowledged the issue and just asked me to disable local cache... (Chrome extension)

  • by artursapek on 7/27/16, 2:04 PM

    I wonder if it would be possible to use window.history.replaceState to do this after the page loads - eg, not having to link the user directly to www.badsite.com/@twitter.com. A link to www.badsite.com by itself wouldn't even look remotely suspicious.

    You could even use replaceState to change it back immediately.

  • by EGreg on 7/27/16, 2:42 PM

    I would say password reuse can be pretty good! Simply have your own rule such as "letters 2 and 5 of the domain name" and combine those with your reusable password.

    In fact, I'd go further and say that you can do this with your login name. So for example:

    myemail+by@gmail.com for eBaY

    This also helps mitigate those attacks where the attacker actually contacts support and socially engineers them into giving all your info and even stealing your account:

    https://medium.com/@espringe/amazon-s-customer-service-backd...

    If you are hosting with AWS you should really consider doing that

    http://www.techinsider.io/hacker-social-engineer-2016-2

  • by cdecker on 7/27/16, 11:40 AM

    Now I feed kind of smug about my Yubikey + passwordstore setup, plain GPG wins again :-)

  • by lyonlim on 7/27/16, 2:39 PM

    If autofill is potentially so dangerous, and in this instance, the prerequisite setting for this to work, why should it even be a feature?

    People who enable it might not understand the repercussions.

    I use 1Password and always invoke a shortcut to fill in my credentials.

  • by Christofer on 7/28/16, 7:20 AM

    Enpass is the best alternative for LastPass. I switched over from LastPass a few months ago.

    First I decided 1Password to replace LastPass, but it puts a lot of weight on my pockets as it's very expensive. Then I encounter Enpass. It's a really good password manager. What I like about Enpass is that it saves database locally on my device not on their server and gives the desktop app for free.

    It's worth to try and it hardly takes a few minutes to move all your LastPass database into into Enpass. https://www.youtube.com/watch?v=Fn69hHur3Jo

  • by giuscri on 7/27/16, 11:45 AM

    Could someone explain me better the posted code that was vulnerable? I don't understand it. What's the returned value?, what is URL and url?, why the extension is expecting there must be a @ inside the url?

    Thanks! :-)

  • by neuroid on 7/27/16, 10:02 PM

    The issue mentioned in the blog post was fixed over a year ago [1]. However, the issue reported by Tavis Ormandy [2] is new.

    [1]: https://blog.lastpass.com/2016/07/lastpass-security-updates....

    [2]: https://bugs.chromium.org/p/project-zero/issues/detail?id=88...

  • by tedmiston on 7/27/16, 4:33 PM

    There's been discussion in subthreads about why sandboxed browser extensions are more protected from a malicious page hijacking parsing the URL.

    It's easy to forget that sandboxed extensions don't exist yet in iOS (as of 9.3.3), and sometimes we still have to use bookmarklets.

    As far as I know, bookmarklets aren't afforded any level of sandboxing type protection. I wonder if a malicious page could intervene like that.

  • by cyphar on 7/27/16, 11:09 PM

    Can we also discuss the fact that LastPass's two factor authentication is clearly done client-side (if you already have logged in on a machine, then you can fill in a login before it asks for your two factor authentication token). This is ridiculous. I need to switch to something else, is there a browser plugin for free software password managers like KeePassX?

  • by diziet on 7/27/16, 9:56 AM

    To my best knowledge LastPass comes with Autofill disabled by default on at least Chrome (or I was paranoid enough to turn it off myself)

  • by DonHopkins on 7/27/16, 3:14 PM

    He deserved a whole lot more than $1000 for discovering and reporting such a huge, idiotic security hole that should have never happened in the first place, and it should come out of the salary of whoever caused it by indulging their own laziness and convenience by abusing regular expressions so carelessly and casually.

  • by raverbashing on 7/27/16, 10:03 AM

    Was this an issue with the browser extension?

    How (and how often) are updates pushed to the client?

  • by nxzero on 7/27/16, 10:42 AM

    Bounties for security should be valued by an independent party.

  • by cheald on 7/27/16, 6:41 PM

    Turn off autofill. Takes you 2 clicks to fill things in when you need to, and you're sure that you're only providing credentials when you mean to.

  • by cyberpanther on 7/27/16, 2:20 PM

    I'm a LastPass user but not really in love with it. If I were to switch, which is best and WHY? I need it to support chrome and Android.

  • by kmiroslav on 7/27/16, 12:10 PM

    I don't quite follow. The author says that by entering the URL "http://avlidienbrunn.se/@twitter.com/@hehe.php", the extension is fooled into autofilling as if the browser was on twitter.com.

    What's the difference with simply going to "http://twitter.com"?

    This looks more like a bug than a vulnerability, what am I missing?

  • by thulebag on 7/28/16, 1:32 AM

    They wouldn't give me a bug bounty for the chrome plugin bug I found.

    Remote JavaScript could trigger the export all passwords feature...

  • by Canada on 7/27/16, 12:19 PM

    Does this attack still work if "Automatically fill login information" was disabled in preferences?

  • by gohrt on 7/27/16, 9:12 PM

    $1000 is a stingy payout for a bug that undermines the reason for the product's existence.

  • by ryanlm on 7/27/16, 3:26 PM

    Is someone going to lose their job over this?

  • by necessity on 7/27/16, 4:15 PM

    >They are still much better than the alternative (password reuse).

    I'm not sure if it is, bugs like that are a serious threat. Personally I use the same (long) password for every website, except one of the characters which I replace by the website's first letter. One could think of similar, more sophisticated schemes of password reuse that yield a slightly different password for each website.

    It would be even better if websites started using a public key authentication system, though.