ARS TECHNICAThis story originally appeared on Ars Technica, a trusted source for technology news, tech policy analysis, reviews, and more. Ars is owned by WIRED's parent company, Condé Nast."Because do_popupregister() is never called, ftd_get_frameparenturl() just uses the last cached value in g_popup_url_by_tabid for the current tab," Ormandy wrote. "That means via some clickjacking, you can leak the credentials for the previous site logged in for the current tab."
Clickjacking is a class of attack that conceals the true destination of the site or resource displayed in a web link. In its most common form, clickjacking attacks place a malicious link in a transparent layer on top of a visible link that looks innocuous. Users who click on the link open the malicious page or resource rather than the one that appears to be safe.
"This will prompt if you try to clickjack filling in or copying credentials though, because frame_and_topdoc_has_same_domain() returns false," Ormandy continued. "This is possible to bypass, because you can make them match by finding a site that will iframe an untrusted page."
The researcher then showed how a bypass might work by combining two domains into a single URL such as https://translate.google.com/translate?sl=auto&tl=en&u=https://www.example.com/In a series of updates, Ormandy described easier ways to carry out the attack. He also described three other weaknesses he found in the extensions, including: the handle_hotkey() didn't check for trusted events, allowing sites to generate arbitrary hotkey events; a bug that allowed attackers to disable several security checks by putting the string "https://login.streetscape.com" in code; a routine called LP_iscrossdomainok() that could bypass other security checks.
On Friday, LastPass published a post that said the bugs had been fixed and described the "limited set of circumstances" required for the flaws to be exploited."To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times," LastPass representative Ferenc Kun wrote. "This exploit may result in the last site credentials filled by LastPass to be exposed. We quickly worked to develop a fix and verified the solution was comprehensive with Tavis."
Don’t Ditch Your Password Manager Just YetThe vulnerability underscores the drawback of password managers, a tool that many security practitioners say is essential for good security hygiene. By making it easy to generate and store a strong password that's unique for every account, password managers offer a crucial alternative to password reuse. Password managers also make it much easier to use passwords that are truly strong, since users need not memorize them. In the event that a website breach exposes user passwords in cryptographically protected form, the chances of someone being able to crack the hash are slim, since the plaintext password is strong. Even in the event that the website breach leaks passwords in plaintext, the password manager ensures that only a single account is compromised.