In September 2019, LastPass faced a different kind of threat: a password-revealing bug in its Chrome and Opera browser extensions. While it gets quickly fixed, this incident highlighted the inherent risks in complex software and the importance of rapid response.
How the Attack Happened: Clickjacking and Skipped Checks
The vulnerability, discovered by Google Project Zero researcher Tavis Ormandy, stemmed from how the extension generated popup windows for autofilling credentials. A malicious website could create an HTML iframe linking to the LastPass popupfilltab.html window in specific scenarios instead of using the intended function.
This unexpected method caused the popups to open with the password of the most recently visited site in the current browser tab. Because the correct registration function (do_popupregister()) wasn’t called, the extension relied on a cached URL, potentially exposing the previous site’s credentials through a clickjacking attack.
Clickjacking involves concealing the true destination of a web link, often by placing a malicious link in a transparent layer over an innocuous one, tricking users into clicking the hidden link. In this case, an attacker could potentially steal the last used credentials by manipulating iframes and the password fill popup.
Ormandy also identified three other weaknesses:
• The handle_hotkey() function didn’t check for trusted events, allowing sites to generate arbitrary hotkey events.
• A bug allowed attackers to disable several security checks by including the string “https://login.streetscape.com” in the code.
• The LP_iscrossdomainok() routine could bypass other security checks.
How it Was Mitigated: Swift Action and User Guidance
LastPass acknowledged the vulnerability promptly and released an updated version (4.33.0) of their browser extensions within days to fix the bug. This update was deployed to all browsers as a precaution, even though the vulnerability was primarily in Chrome and Opera. The update was automatic, requiring no action from most users.
LastPass also provided best practices for users, including:
• Avoiding links from unknown individuals.
• Turning on multi-factor authentication (MFA) for all services.
• Do not reuse or share the master password.
• Creating unique passwords for each online account.
• Running up-to-date antivirus software.
Lessons Learned: The Importance of Vigilance and Responsible Disclosure
The 2019 incident, while quickly resolved, provided important reminders:
• Browser extensions can be attack vectors: Extensions, while adding functionality, can also introduce security vulnerabilities if not carefully developed and tested.
• Even seemingly complex security measures can have bypasses: The unexpected interaction with iframes highlighted how standard security procedures can be circumvented through clever exploitation.
• Rapid and transparent patching is crucial: LastPass’s quick response in releasing a fix helped to minimize potential harm.
• Responsible disclosure by security researchers plays a vital role: Ormandy’s private reporting of the vulnerability to LastPass allowed them to address the issue before widespread exploitation.
• User education remains key: Even with patched software, user awareness of phishing tactics and security best practices is essential.
Conclusion: The Ongoing Saga of Security
The incidents involving LastPass underscore the constant cat-and-mouse game in cybersecurity. While password managers offer significant security benefits by promoting strong and unique passwords, they are not immune to vulnerabilities and attacks.
The 20 breach served as a stark reminder of the severe consequences of compromising developer accounts and the far-reaching impact of supply chain vulnerabilities. The 2019 bug illustrated how subtle flaws in software, particularly in browser extensions, can create opportunities for exploitation.
The lessons learned from these events are applicable to users, developers, and password manager providers alike. For users, it emphasizes the need for strong master passwords, enabling MFA, keeping software updated, and being cautious of phishing attempts. For developers, it highlights the importance of secure coding practices, rigorous testing, and maintaining vigilance over third-party dependencies. For password manager companies, it underscores the necessity of robust security architectures, transparent communication, and a commitment to continuous improvement in the face of evolving threats.
The story of LastPass is a testament to the fact that security is not a destination but an ongoing journey. As the threat landscape continues to evolve, constant vigilance, proactive security measures, and a commitment to learning from past incidents are crucial for safeguarding our digital lives.
