LastPass extensions can be made to cough up passwords, deliver malware
LastPass Chrome and Firefox extensions contain flaws that could allow malicious websites to steal victims’ passwords or execute commands on their computer.
The flaws were discovered by Google Project Zero researcher Tavis Ormandy, and responsibly disclosed to LastPass.
But while the company has pushed out what seems to be a slapdash and incomplete fix in the latest version of the Chrome extension (4.1.42, dated March 14, 2017), a fixed version of the Firefox plug-in has still not been released, as the company is waiting for Mozilla to greenlight it.
The vulnerabilities
The LastPass password management service stores users’ passwords in the cloud, and they are retrieved by browser extensions when a user needs them to access an online account.
The Chrome plug-in sports a script that can be exploited to allow malicious websites to access to internal privileged LastPass RPC (remote procedure call) commands.
“It’s possible to proxy untrusted messages to LastPass 4.1.42 due to a bug, allowing websites to access internal privileged RPCs (Remote Procedure Calls). There are a lot of RPCs, allowing complete control of the LastPass extension, including stealing passwords,” Ormandy noted.
And, if the user has installed the Lastpass binary component on Chrome, a malicious website can use the same script to load malware on the victim’s machine and execute it. Ormandy has provided a demo of the exploit for this attack, as well as PoC JavaScript code for exploiting the vulnerable content script.
The vulnerability flagged by Ormandy in the Firefox plug-in is present in version 3.3.2, offered for download on Mozilla’s Add-ons page. It can be exploited by malicious websites to get the users’s passwords.
LastPass is generally advising users to switch to the 4.x versions of the add-on, offered on LastPass’ website, but apparently Ormandy has unearthed another bug in LastPass 4.1.35 that allows stealing passwords for any domain.
All in all, for the time being, I would advise users to disable their LastPass extension until there is a definitive fix for both versions.