
LastPass RCE vulnerability fixed - sp332
https://bugs.chromium.org/p/project-zero/issues/detail?id=1209
======
blakesterz
This made me laugh:

"They also said they couldn't get my exploit to work, but I checked my apache
access logs and they were using a Mac. Naturally, calc.exe will not appear on
a Mac."

~~~
Exuma
That is honestly embarrassing. I'm glad I don't use LastPass.

~~~
martin1975
I do. What else does auto form fills based on urls, client side encryption,
and runs in chrome, IE and Safari?

~~~
AhtiK
Has anyone used hardware-based password manager like Trezor Password Manager?
[1] [2] Initially Trezor was created as a bitcoin wallet but is much more
these days.

The issue with 1Password is that it's not accessible in Linux and no U2F
(yubikey etc) support AFAIK...

[1] [https://trezor.io/passwords/](https://trezor.io/passwords/) [2]
[https://blog.trezor.io/satoshilabs-launches-trezor-
password-...](https://blog.trezor.io/satoshilabs-launches-trezor-password-
manager-the-ultimately-secure-no-master-password-
cloud-1b260e5fbe6b#.gjgqeattk)

~~~
RubyPinch
I've wanted to use such a thing, but the requirement to use a specific browser
is always a massive bother

same with things like yubikey

It seems like it would be better to just fake a keyboard output instead? then
you could have something that could work on all platforms in all situations

~~~
freeone3000
KeePass does this. Autofill activates the last window, finds the "input
control" on the window, then tries to type in the username, tab key, password.
It breaks in all the expected ways, and sometimes new and exciting ways.

~~~
RubyPinch
That is software emulation though, which is restricted by various things
(can't type across users (so breaks on Run As, and elevated windows), if a
window implements a custom control, it won't work with that either since that
window likely reads from the keyboard in a weird or wonderful way, some
windows also just avoid any windows messaging and read the keyboard directly)

Hardware faking of the keyboard would work fine though

------
sp332
Update: another vulnerability found, not patched yet.
[https://mobile.twitter.com/taviso/status/844312124541186048](https://mobile.twitter.com/taviso/status/844312124541186048)

~~~
tedivm
I'm really surprised, and disappointed, that Travis announced this publicly
like this. From my understanding the Google team has a policy of giving people
time to patch the bug before announcing it. I know that the technical details
weren't released by by confirming there is a zero day exploit he's making it
more likely to be discovered and exploited. The responsible thing would have
been to notify the vendor and apply the standard policy they have in place for
disclosure.

~~~
libeclipse
He announced it exists, though not what it is. Who knows, it might even spur
some people to move away from LP.

~~~
sp332
They fixed all 3 bugs already.
[https://mobile.twitter.com/taviso/status/844573211278794753](https://mobile.twitter.com/taviso/status/844573211278794753)
I'm not moving.

------
joshschreuder
The test page is still vulnerable for me.

[https://lock.cmpxchg8b.com/SaiGhij5/lastpass.html](https://lock.cmpxchg8b.com/SaiGhij5/lastpass.html)

    
    
      Chrome 57.0.2987.110 (64-bit)
      Version: 4.1.42
      Built: Thu Mar 09 2017 12:40:16 GMT-0500 (EST)
      Binary Component: true (Native Messaging version 4.1.34, built Jan 11 2017 01:45:24)
    

Any idea why? I thought no user action was required? No custom error message
for NXDOMAIN (I think?), I see the Lastpass site, then calc.exe opens.

[https://twitter.com/LastPass/status/844176201392504834](https://twitter.com/LastPass/status/844176201392504834)

~~~
shawnz
Still works for me too. I guess I'm disabling the extension for now.

------
bluedonuts
Long time unhappy user of Lastpass here. Would really like to hear what
alternatives people are using that have at least the following features:

1\. Mac/Window/Linux support 2\. Ability to control accounts from an admin
account. PW/2FA reset, export/wipe of accounts etc. 3\. Reasonably secure 4\.
Not too terrible to use for Engineers/non-techies alike.

~~~
marksomnian
Not sure about point 2, but 1Password seems to fit all the others. Really like
it, personally.

~~~
moyix
1Password didn't support Linux last time I checked. There are 3rd party
libraries, but most of them don't support the newer keychain format. I still
use it and just look up the password on my phone when I'm on a Linux system.

~~~
nsm
1password has their opvault format spec on the website and
[https://github.com/OblivionCloudControl/opvault](https://github.com/OblivionCloudControl/opvault)
can decrypt. Admittedly the UX is lacking.

~~~
moyix
I've tried that library, actually. Last time I used it, it couldn't find some
passwords in the vault, including (crucially) the one I use for SSO at work.
It's totally possible I was just using it wrong – it would be nice if the
repository had a demo command line tool or something.

------
sp332
Apparently this was fixed server-side and does not require any update to the
client. However the default version on addons.mozilla.org is very old for some
reason, so if you are running 3.x it wouldn't hurt to download the latest. You
can get it either from LastPass's website directly or from
[https://addons.mozilla.org/en-US/firefox/addon/lastpass-
pass...](https://addons.mozilla.org/en-US/firefox/addon/lastpass-password-
manager/versions/beta)

~~~
derobert
The 3.x is still updated, but they're replacing it soon. 4.x is a
WebExtension, with a different UI.

See [https://blog.lastpass.com/2017/03/plans-to-retire-the-
lastpa...](https://blog.lastpass.com/2017/03/plans-to-retire-the-
lastpass-3-3-2-firefox-add-on.html/) for details.

~~~
sp332
Oh you're right. I was confused and there are two bugs, only one of which has
been fixed so far. The first one, which is apparently still unfixed, mentioned
here
[https://twitter.com/taviso/status/842205051082821632](https://twitter.com/taviso/status/842205051082821632)
only works on 3.x on Firefox.

------
emn13
I've got to say, this attack looks a little too obvious; that doesn't reflect
well on lastpass.

~~~
svenfaw
The high number of vulnerabilities that keep being found in LastPass
(including some that are not publicly disclosed) forced me to jump ship a
while ago.

~~~
mdekkers
same here. Trialling Dashlane, but not quite convinced yet..

~~~
xxkylexx
If you're interested in an open source option that compares quite well to the
LastPass feature-set, check out bitwarden:
[https://bitwarden.com/](https://bitwarden.com/) (note: I am the lead
developer).

~~~
toyg
Looks cool. My personal "I can't use it because it lacks X" list:

\- Firefox extension

\- Password generator

But I'll keep an eye on it. LastPass is far from perfect.

~~~
xxkylexx
We have both of these things:

\- Firefox: [https://addons.mozilla.org/en-US/firefox/addon/bitwarden-
pas...](https://addons.mozilla.org/en-US/firefox/addon/bitwarden-password-
manager/)

\- Generator: [http://imgur.com/3q4w9Mn.png](http://imgur.com/3q4w9Mn.png)

~~~
toyg
You need to update your user home screen then, both features have empty links
saying "coming soon".

------
koolba
Looks like this was discovered by the same guy that discovered CloudFail. That
dude is amazing.

~~~
yeukhon
Well, this is Project Zero, the security researchers working there are highly
competent, but I do agree this guy is amazing. I wonder what kind of
methodology do they use to even come up with these attacks.

~~~
dsacco
Having briefly interacted with a few of them, and following their work in
general:

1\. They have a phenomenal intuition for where developers get lazy, tired or
simply incompetent in security-sensitive code,

2\. They have, in aggregate, a vast knowledge and understanding of past
vulnerabilities and how those might be repeated elsewhere or imperfectly
patched,

3\. They practice a lot and they read a lot (i.e. relevant research, etc). It
might be more accurate to say that they have a lot of practice because of
their work, not that they actively practice outside of work.

4\. They are good at the general process of security research - long hours of
mostly dull, complex research interspersed with brief eureka moments and bouts
of euphoria.

They're an extraordinary team, for sure.

------
username223
Is it just me, or are these "cloud password managers" a terrible idea given
the typical person's threat model? First, there are hackers looking to score a
huge pile of accounts. Second, there could be a relatively unsophisticated
person with a grudge, like an ex-partner. In a distant third, there are
nation-state-level actors.

If I keep a local encrypted password file and copy it around by hand, I may
have some vulnerabilities, but it's not worth a hacker's time to steal only my
accounts, and I can probably protect my credentials from casual malice. On the
other hand, if I put my passwords on the same service as hundreds of thousands
of other people, that's a huge jackpot that attracts significant hacking
interest, and the service only has to screw up once. The risk doesn't seem
worth the convenience.

~~~
UnoriginalGuy
As soon as you put a Keepass encrypted database onto any cloud service (e.g.
DropBox, Google Drive, etc) you've effectively just recreated LastPass.

Both use an AES-256 encrypted database encrypted using a master password which
is first hashed using a modern/slow hashing algorithm.

Obviously it is imperfect that the LastPass plugin has bugs in it; and I won't
defend that. But I will say that the convenience is worth the risk most of the
time, but LastPass needs to be better than this if they want to maintain
people's respect and trust.

If you intend to keep your encrypted password database completely offline
(e.g. USB keys) then, sure, it is more secure but very few users are willing
to take on such inconvenience.

Password Managers in general have resulted in less password reuse, longer
passwords, and more random passwords. Last Pass in particular offers "one
click" password rotation on dozens of popular services.

~~~
wsinks
One click password rotation! I had no idea.

~~~
UnoriginalGuy
It is neat but only on a select list of popular sites, you can see the list at
the bottom of this page:

[https://helpdesk.lastpass.com/generating-a-
password/#h2](https://helpdesk.lastpass.com/generating-a-password/#h2)

------
homakov
This is why we need a mirror method for postMessage to securely receive cross
origin messages [https://medium.com/@homakov/why-we-need-getmessage-
too-a7411...](https://medium.com/@homakov/why-we-need-getmessage-
too-a74110783f26)

------
codys
Note that this issue references another (not yet public) issue which is
apparently for LastPass on firefox. I expect we'll see a LastPass + Firefox
issue in the near future.

> (Please note, issue 1188 which affects LastPass on firefox is not fixed, and
> still works)

------
bflesch
Brilliant find by taviso. So simple yet thousands of others passed over it. It
takes a relentless mind to comb through all this code and actually find such
an issue.

~~~
munin
> So simple yet thousands of others passed over it.

is that true? how do you know?

~~~
bflesch
LastPas has been in the spotlight for quite some time now, and repeatedly
critized by the security community. I've also read various articles about
alleged security flaws with LastPass (which were quickly resolved by the
team).

------
Thriptic
How would this theoretically affect a user with password re-prompt on for all
of their accounts?

------
bgrohman
Most of the reported issues I've seen have been caused by browser extensions.
It seems like uninstalling the extensions and just using the web app directly
in a separate browser might go a long way towards avoiding these kinds of
issues.

------
didibus
This doesn't seem to me like it compromised the passwords though. Am I missing
something?

~~~
ktta
> Therefore, this allows complete access to internal privileged LastPass RPC
> commands. There are hundreds of internal LastPass RPCs, but the obviously
> bad ones are things copying and filling in passwords (copypass, fillform,
> etc). If you install the binary component
> ([https://lastpass.com/support.php?cmd=showfaq&id=5576](https://lastpass.com/support.php?cmd=showfaq&id=5576)),
> you can also use "openattach" to run arbitrary code.

Any lastpass RPC was able to be called, which does mean that it compromised
the passwords. Now, the worse part is that any code (any .bat file, which on
windows is similar to a bash script) could be run on the host computer, which
means they can effectively take over the host computer.

