GTP
Well-Known Member
- Reaction score
- 9,902
- Location
- Adelaide, Australia
Potent LastPass exploit.....
- Thread starter GTP
- Start date
ComputerRepairTech
Well-Known Member
- Reaction score
- 804
- Location
- Columbia, SC
"Even when the binary isn't present, the flaw can be exploited in a way that lets malicious sites steal passwords from the protected LastPass vault."
I wonder what it is! It better not turn out to be some lame trick that requires tricking a user to login to a fake lastpass prompt, it doesn't sound like it but I can't imagine how else it will work without the binary addition.
I wonder what it is! It better not turn out to be some lame trick that requires tricking a user to login to a fake lastpass prompt, it doesn't sound like it but I can't imagine how else it will work without the binary addition.
GTP
Well-Known Member
- Reaction score
- 9,902
- Location
- Adelaide, Australia
I think you've hit the nail on the head! There is no other way as far as I can see.
I'm keeping an eye/ear on the Security Now podcasts to get the lowdown from Steve Gibson.
phaZed
Well-Known Member
- Reaction score
- 3,176
- Location
- Richmond, VA
To me, it sounds like some server/service exploit or protocol exploit if the executable is not needed.
fencepost
Well-Known Member
- Reaction score
- 2,314
- Location
- Schaumburg, IL
Discussion on HN: https://news.ycombinator.com/item?id=14009720
LastPass blog with an explanation of the structural problem: https://blog.lastpass.com/2017/03/security-update-for-the-lastpass-extension.html/
LastPass blog with an explanation of the structural problem: https://blog.lastpass.com/2017/03/security-update-for-the-lastpass-extension.html/
phaZed
Well-Known Member
- Reaction score
- 3,176
- Location
- Richmond, VA
ComputerRepairTech
Well-Known Member
- Reaction score
- 804
- Location
- Columbia, SC
"But in a particularly clever move, the report demonstrated that arbitrary strings could be injected, and one of these was enough to trick the extension into thinking it was executing on lastpass.com. By doing so, an attacker could manipulate the LastPass extension into revealing the stored data of that user, and launch arbitrary executables in the case of the binary version."
I think what its saying here is (and I can't test now that lastpass has been patched) is that if you were logged into the lastpass extension it would pass info to lastpass.com automatically if you visited the site. I can't remember if I had to login to lastpass or not if I was already logged in the extension but I know from testing just now that lastpass.com can tell lastpass extension that you are logged in. I'm sure it had to be something serious like that because if you could tell lastpass ext you were lastpass.com you could have told it you were any domain and had it try to fill out the information if autologin was enabled but they didn't mention it so had to be something more serious.
I think what its saying here is (and I can't test now that lastpass has been patched) is that if you were logged into the lastpass extension it would pass info to lastpass.com automatically if you visited the site. I can't remember if I had to login to lastpass or not if I was already logged in the extension but I know from testing just now that lastpass.com can tell lastpass extension that you are logged in. I'm sure it had to be something serious like that because if you could tell lastpass ext you were lastpass.com you could have told it you were any domain and had it try to fill out the information if autologin was enabled but they didn't mention it so had to be something more serious.
Similar threads
