
LastPass autofill exploit - detectify
https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/
======
cyberpanther
Great catch and everyone should know there is an easy way to parse URLs in JS.
Just create an anchor element and let the browser parse it for you. Like so:

var parser = document.createElement('a');

parser.href =
"[http://example.com:3000/pathname/?search=test#hash";](http://example.com:3000/pathname/?search=test#hash";)

parser.protocol; // => "http:"

parser.hostname; // => "example.com"

parser.port; // => "3000"

parser.pathname; // => "/pathname/"

parser.search; // => "?search=test"

parser.hash; // => "#hash"

parser.host; // => "example.com:3000"

~~~
dkopi
While that might be an "easy way" \- it isn't a secure way in this case.

Since malicious attackers have complete control over the page you're seeing -
they can simply replace document.createElement with their own function. And
instead of returning a DOM object, they can return an object that returns
whatever they want in .hostname

~~~
jxpx777
Disclosure: I work for AgileBits, makers of 1Password.

For desktop browser extensions that are properly using the frameworks, the
extension's Javascript runs in its own execution context so the page cannot
redefine variables. This protected 1Password when we discovered that a certain
page had redefined the global JSON object, which provides parse and stringify
functions among other things, to be the number 3, i.e. a numeric constant
called JSON. :'D

~~~
throwanem
Out of curiosity, does this apply only to Chrome's extension framework, or to
Firefox's and Safari's as well?

Context: I'm a new 1Password user who is contemplating use of the extensions
for those latter two browsers, and while it seems probable their extension
frameworks offer the level of security you describe, I'd like to be certain
before pulling the trigger. Thanks!

~~~
AGKyle
Disclaimer: I work for AgileBits as well :)

Hi there!

Yes, all 3 of the major browsers (and derivatives of them) offer the same
support for a sandboxed execution environment. You can safely use any of them
if that's a requirement you have :)

Kyle

AgileBits

~~~
throwanem
Neat, thanks!

------
mcs
Please correct me if I am mistaken, but couldn't this have been implemented
into an iframe that when ran could send the passwords to another remote
server?

If so, I am a little taken back by LastPass only offering $1,000 to the
researcher that found and reported it for fixing. He or she could have taken a
different path and resulted in this being used in some complex targeted attack
against tech corporations via short-url redirect interstitial pages, or an ad
network's javascript, etc. Given the potential damage, I'd say there is a
missing zero or two on that reward amount, in my opinion.

~~~
jrockway
Let's do a little calculation to see if the payout is worthwhile.

Using something illegally means you run the risk of going to prison. Let's say
there's a 1% chance you get caught, the prison sentence is 10 years, and the
evil hackers will pay you $20,000 for your bug. Let's also say that you're a
mid-career software engineer in the US, and over the next 10 years you expect
to make $2M (after taxes).

This means your expected outcome over 10 years is $20,000 + (0.99 * $2M) =
$1.98M. With Lastpass's bounty you end up with $2.001M.

With these assumptions, you should be paying Lastpass to find bugs in their
software! Of course, if you're not in the US, you probably make a more
reasonable salary (read: less), taxes are higher, and the risk of getting
caught is lower.

~~~
virtualwhys
> over the next 10 years you expect to make $2M (after taxes)

That would be $300K per year pre-tax (assuming current 2016 tax rate of 33%
for the 200-400K bracket). Is that really a normal mid-career salary?

I need to change jobs if that's the case...

~~~
superuser2
At elite big-name tech companies in the Bay Area, if you're selling your stock
as it vests, that might be a little high but in the ballpark.

------
ktta
I've been using LastPass for about 3 years, and now I'm seriously thinking
about all the times people told me about how storing passwords in someone
else's cloud is bad.

I've been defending LastPass and recommending it to everyone till today. Now
I'm thinking about how I might have to 'pay' for a software vulnerability in
some private (read:unauditable by me) code. All the comments about offline,
local backups make sense to me.

But the points I usually make are still valid, like:

1\. I can go to any computer with chrome and get access to all my passwords,
so don't have to carry my passwords with me everywhere.

2\. Don't have to worry about storing passwords properly since lastpass is a
good company and they know their stuff about protecting the customers' data.

3\. Password capture. It might seem like a tiny feature, but I'm too lazy to
remember opening an app and entering my credentials whenever I create an
account or login into an old account.

4\. Mobile login, although a paid feature, this _really_ changes my life. If I
don't trust a computer enough to login via chrome or something else, or want
my secret notes, I just open up my phone.

But all the above features meaning nothing when it comes to the chance of
compromising all my passwords (except bank info, of course)

I'd like to hear the thoughts of anyone else who uses lastpass and what they
think.

~~~
starquake
I do not use LastPass exactly because of what you describe. I use a KeePass
Password safe without autofill. I use other software to sync the file. It used
to be Dropbox, later I was using BitTorrent Sync, but what tool sync shouldn't
really matter. As I see it: the tool only gets to see and sync an encrypted
file. You could even use a USB stick and not sync at all. Or only sync on
LANs.

I love it how I get to decide who or what gets to see the encrypted file.

Now hopefully the Keepass audit will not reveal any issues in the encryption.

~~~
icebraining
Lastpass also only syncs data after it's encrypted locally, so the threat
model is the same.

~~~
skrebbel
Not entirely, since you download the encryption code way more often (for
example, when you open the "Lastpass Vault", which is just a website like any
other). Parts of Lastpass are simply a website, not part of the browser
extension, and as an avid Lastpass user in all honesty I don't know which
parts.

This matters because even if it's client-side encryption, the encryption code
just got downloaded when you opened the site so if the server or the network
was compromised, you got compromised. [0]

With Keepass, the only time you run that risk is when you download Keepass.

[0] As far as I can tell, this is the core argument of tptacek's "javascript
crypto considered harmful" rant ([https://www.nccgroup.trust/us/about-
us/newsroom-and-events/b...](https://www.nccgroup.trust/us/about-us/newsroom-
and-events/blog/2011/august/javascript-cryptography-considered-harmful/)). I'm
not sure, because it's written worse than his most drunken HN comment, but I
believe it is.

~~~
milkey_mouse
I'm pretty sure when using the Chrome extension, all the HTML/JS is downloaded
locally once when installing the extension, as logging in via the extension
brings you to a chrome-extension:// URL. When logging in via lastpass.com, of
course, you will be redownloading the crypto code every time.

------
viraptor
It looks like there's more interesting stuff coming in soon:
[https://twitter.com/taviso/status/758074702589853696](https://twitter.com/taviso/status/758074702589853696)

(to save a click: Tavis Ormandy: "Are people really using this lastpass thing?
I took a quick look and can see a bunch of obvious critical problems. I'll
send a report asap.")

~~~
0xmohit
It seems that you didn't see:
[https://twitter.com/taviso/status/758143119409885185](https://twitter.com/taviso/status/758143119409885185)

    
    
      Full report sent to LastPass, they're working on it now. Yes,
      it's a complete remote compromise. Yes, I promise I'll look at
      1Password.

~~~
viraptor
I did see it. Not sure what you mean by this.

------
avolcano
I'm generally very sympathetic to regex bugs (especially in a language like
JavaScript where you don't get nice expanded multiline regexes with comments),
but I am wondering why they went with a regex in the first place. Did they
decide `document.location.host` was too brittle for some reason?

~~~
techdragon
I'd agree if there wasn't an extremely good solution to this problem.

Verbal Expressions - It's an extremely good higher level interface to the
underlying regular expressions tools, in _MANY_ languages.

Including:

JavaScript -
[https://github.com/VerbalExpressions/JSVerbalExpressions](https://github.com/VerbalExpressions/JSVerbalExpressions)

ActionScript 3 -
[https://github.com/VerbalExpressions/AS3VerbalExpressions](https://github.com/VerbalExpressions/AS3VerbalExpressions)

Clojure -
[https://github.com/VerbalExpressions/ClojureVerbalExpression...](https://github.com/VerbalExpressions/ClojureVerbalExpressions)

C++ -
[https://github.com/VerbalExpressions/CppVerbalExpressions](https://github.com/VerbalExpressions/CppVerbalExpressions)

C# -
[https://github.com/VerbalExpressions/CSharpVerbalExpressions](https://github.com/VerbalExpressions/CSharpVerbalExpressions)

Dart -
[https://github.com/VerbalExpressions/DartVerbalExpressions](https://github.com/VerbalExpressions/DartVerbalExpressions)

Elixir -
[https://github.com/VerbalExpressions/ElixirVerbalExpressions](https://github.com/VerbalExpressions/ElixirVerbalExpressions)

Elm - [https://github.com/VerbalExpressions/elm-verbal-
expressions](https://github.com/VerbalExpressions/elm-verbal-expressions)

Erlang -
[https://github.com/VerbalExpressions/ErlangVerbalExpressions](https://github.com/VerbalExpressions/ErlangVerbalExpressions)

FreeBasic -
[https://github.com/VerbalExpressions/FreeBasicVerbalExpressi...](https://github.com/VerbalExpressions/FreeBasicVerbalExpressions)

F# -
[https://github.com/VerbalExpressions/FSharpVerbalExpressions](https://github.com/VerbalExpressions/FSharpVerbalExpressions)

Go -
[https://github.com/VerbalExpressions/GoVerbalExpressions](https://github.com/VerbalExpressions/GoVerbalExpressions)

Groovy -
[https://github.com/VerbalExpressions/GroovyVerbalExpressions](https://github.com/VerbalExpressions/GroovyVerbalExpressions)

Haskell -
[https://github.com/VerbalExpressions/HaskellVerbalExpression...](https://github.com/VerbalExpressions/HaskellVerbalExpressions)

Haxe -
[https://github.com/VerbalExpressions/HaxeVerbalExpressions](https://github.com/VerbalExpressions/HaxeVerbalExpressions)

Java -
[https://github.com/VerbalExpressions/JavaVerbalExpressions](https://github.com/VerbalExpressions/JavaVerbalExpressions)

Lua -
[https://github.com/VerbalExpressions/LuaVerbalExpressions](https://github.com/VerbalExpressions/LuaVerbalExpressions)

Objective C -
[https://github.com/VerbalExpressions/ObjectiveCVerbalExpress...](https://github.com/VerbalExpressions/ObjectiveCVerbalExpressions)

Perl -
[https://github.com/VerbalExpressions/PerlVerbalExpressions](https://github.com/VerbalExpressions/PerlVerbalExpressions)

PHP -
[https://github.com/VerbalExpressions/PHPVerbalExpressions](https://github.com/VerbalExpressions/PHPVerbalExpressions)

PowerShell -
[https://github.com/VerbalExpressions/PowerShellVerbalExpress...](https://github.com/VerbalExpressions/PowerShellVerbalExpressions)

PureScript - [https://github.com/VerbalExpressions/purescript-verbal-
expre...](https://github.com/VerbalExpressions/purescript-verbal-expressions)

Python -
[https://github.com/VerbalExpressions/PythonVerbalExpressions](https://github.com/VerbalExpressions/PythonVerbalExpressions)

Racket -
[https://github.com/VerbalExpressions/RacketVerbalExpressions](https://github.com/VerbalExpressions/RacketVerbalExpressions)

Ruby -
[https://github.com/VerbalExpressions/RubyVerbalExpressions](https://github.com/VerbalExpressions/RubyVerbalExpressions)

Rust -
[https://github.com/VerbalExpressions/RustVerbalExpressions](https://github.com/VerbalExpressions/RustVerbalExpressions)

Scala -
[https://github.com/VerbalExpressions/ScalaVerbalExpressions](https://github.com/VerbalExpressions/ScalaVerbalExpressions)

Swift -
[https://github.com/VerbalExpressions/SwiftVerbalExpressions](https://github.com/VerbalExpressions/SwiftVerbalExpressions)

Vala -
[https://github.com/VerbalExpressions/ValaVerbalExpressions](https://github.com/VerbalExpressions/ValaVerbalExpressions)

And probably more, but that's just the "official" implementations.

~~~
obsurveyor
You could have just linked to
[http://verbalexpressions.github.io](http://verbalexpressions.github.io)
instead of spamming all the repositories. Also, about half of them are out of
date by 3 or more years.

~~~
elktea
The point being it's available for a wide range of languages

~~~
techdragon
Exactly... I probably could have posted less of them but in an era of TLDR it
was easy enough to just post the list and let the uninterested scroll past and
ignore it. That I have down votes for pointing out how practically no
developers are without an option to guard against poorly written regular
expressions, feels somewhat overkill.

------
jacobsladder
$1000 for the bug bounty? This is incredibly stupid! How can you make a living
off that? You could make hundreds of thousands of US$ from exploiting this.
You could sell it on the black market. I am surprised that most of the
corporations, even respectable ones, are awarding peanuts for something that
is so important to their business process. This makes my blood boil. I operate
a small business website and I awarded $3k just because someone found a way to
brute force passwords without getting rate limited. This is quite simply
unacceptable.

I think the company should have paid $100,000.

~~~
Domenic_S
Someone always makes a comment like this. Honestly, the black market value (if
any) has nothing to do with the whitehat bounty amount. Why should it? The
person who's going to do legitimate whitehat work isn't the same person who's
going to sell on the black market.

I think of it like drugs. $50k street value of cocaine is not going to do me a
lot of good because 1) I'd have no idea where to sell it, 2) if I did know
where, I wouldn't have the relationships built and would probably get ripped
off/killed/what-have-you, and 3) selling drugs isn't something I'd like to do.
So, if there were an option of turning in the drugs to the police for $500, I
would take that instead.

~~~
skizm
I think the point is 1) it encourages more people to go the black hat way and
2) $1000 just isn't worth all the time people spend _not_ finding bugs before
finding one. So no one is encouraged to look in the first place except maybe
the few who find it fun to do in their free time.

Side-note: isn't there a grey market that buys exploits (for sums of ~$100k
depending on the exploit) and sells them to government agencies or larger
corporations? I think I remember one company charged $500k / year to companies
and government agencies who wanted access to their "exploit database". Seems
like this is the best route to go with these kinds of exploits since it is
completely legal.

~~~
edanm
"I think the point is 1) it encourages more people to go the black hat way".

How many times have people had to pay you not to commit felonies that are a)
immoral, and b) could land you in jail?

I think most people don't need monetary encouragement not to turn black hat.

------
punjabisingh
It's confusing that the LastPass site is claiming only Firefox is impacted.
[1] Whereas the security researcher's site (detectify.com) shows the
vulnerability running in Chrome. [2]

Furthermore, the current live version on Firefox addons repository is 3.x [3],
which the LastPass team claims is not vulnerable. [1]

[1] [https://blog.lastpass.com/2016/07/lastpass-security-
updates....](https://blog.lastpass.com/2016/07/lastpass-security-
updates.html/) [2] [https://labs.detectify.com/2016/07/27/how-i-made-lastpass-
gi...](https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-
your-passwords/) [3] [https://addons.mozilla.org/en-US/firefox/addon/lastpass-
pass...](https://addons.mozilla.org/en-US/firefox/addon/lastpass-password-
manager/)

~~~
brainfire
The Firefox reference is in the second vulnerability discussed in your link 1,
and is unrelated to your link 2 and parent submission. That second
vulnerability apparently only affected the version 4 line of the Firefox
plugin, which is marked beta in the Mozilla repository.

------
xur17
The end of this article mentions that "Also, this would not work if multi
factor authentication was on, so you should probably enable that as well."

Does anyone know why that is the case? It seems like this exploit is just
taking advantage of the js that autofills forms on the page based on domain.
You can still use autofill if you have multifactor enabled.

~~~
tyleraldrich
I assume it's because LastPass sends you the multi factor auth request before
accessing your passwords (and therefore before allowing the autofill js stuff
to use your password).

I don't actually use LastPass so I'm not 100% sure, but this would be the most
likely case imo

~~~
xur17
They only send the multi factor auth request when you first login to your
account in the browser (and then every 30 days). Once you are logged in,
autofilling works exactly the same.

------
lukasm
Another regex bug what a surprise. Do not store whole password in LastPass. To
mitigate this kind of attack I store only part of it on LastPass. The full
password is <last_pass_generated_password> \+ <few_char_nonce_that_I_know_how
to_generate_in_my_head> \+ <short_password_stored_in_my_head>

It's just a tiny overhead to my workflow.

------
yonilevy
The autofill feature starts sounding like the benefit isn't worth the risk.
It's kind of odd when thinking about it, that my passwords can be decrypted
without me explicitly asking for them. I hope there aren't other mechanisms
aside from autofill that allow that. While we're here - is there a way to
disable autofill in LastPass entirely?

~~~
fencepost
Disabling Autofill is the second checkbox in the General section on the first
page you see when you open Preferences in LastPass. It appears to be specific
to each instance, so if you have LastPass installed in several browsers or on
multiple systems, you may need to change it in each place.

You can also likely mitigate some of this by setting a fairly low autologoff
timeout, though how well that will work may vary widely depending on how
different people use the Web.

~~~
yonilevy
Thanks!

------
0xmohit
One should really consider using open source tools for such things. The good
thing is that those are battle-tested real well and are, usually, more secure
than the commercial offerings.

An example is Vault [0].

Encryptr [1] is another alternative: it claims that "all of your data will be
saved in encrypted format in our Zero Knowledge [2] cloud".

[0] [https://github.com/hashicorp/vault](https://github.com/hashicorp/vault)

[1]
[https://spideroak.com/solutions/encryptr](https://spideroak.com/solutions/encryptr)

[2] [https://spideroak.com/features/zero-
knowledge](https://spideroak.com/features/zero-knowledge)

~~~
ktta
Please correct me if I'm wrong, but lastpass uses the same 'zero-knowledge'
method that spideroak uses, other than spider oak uses that term _everywhere_
including their cloud backup offering.

Zero knowledge is merely the fact that spider oak only holds encrypted backups
of your files and it has no way of seeing them. LastPass tells us the same
thing.

~~~
0xmohit
Maybe I shouldn't have mentioned Encryptr.

There are fair number of open source alternatives that allow you to store
secrets in the cloud:

    
    
        vault: https://github.com/hashicorp/vault
        blackbox: https://github.com/StackExchange/blackbox
        git-crypt: https://www.agwa.name/projects/git-crypt/
        Pass: http://www.zx2c4.com/projects/password-store/
        Transcrypt: https://github.com/elasticdog/transcrypt
        Keyringer: https://keyringer.pw/
        git-secret: https://github.com/sobolevn/git-secret

~~~
simplexion
Definitely should have mentioned it. Encryptr is excellent.

~~~
0xmohit
I know.

It's probably not worth attempting to convince certain people. Not only
Encryptr, but even other ones [0].

Oh, and I'm not even remotely affiliated with SpiderOak.

[0] [https://spideroak.com/solutions](https://spideroak.com/solutions)

------
zouhair
People trusting a third party for their passwords boggles my mind.

~~~
crummy
Where do you write yours down?

~~~
IshKebab
I memorised a very simple algorithm to construct passwords from the domain
name of a site. Then I concatenate that with one of three fixed portions
depending on how important I view the site (e.g. banks get the most secure
one, then gmail, then everything else).

It works pretty well. Different password for each site, I only have to
remember a few things, and it would take several compromises (and a weirdly
dedicated attacker) to work out my algorithm.

For example, my 'insecure' fixed part might be 'Tenk5$' (I recommend including
uppercase, lowercase, a number and a symbol in that part to get around idiotic
password requirements). Then my algorithm could be 'the last 5 letters
backwards, skip the first vowel'. In which case my password for HN would be
'Tenk5$rtani'.

~~~
progx
Problem is, that not all sites use the same style of passwort.

Some need Lower-/Uppercase, some with numbers, some with special Chars, some
restrict to minimum of x chars, some use a maximum.

Your system works not for all things, i use a similar system, but store a
bunch of passwords with last pass. Only really important passwords are in my
head.

~~~
qmr
> Only really important passwords are in my head.

That has not worked well for me. I have lost a small amount of bitcoin, and
some encrypted homedirs and encrypted hard drives.

------
baby
Does someone understand the snippet?

    
    
      var fixedURL = URL.match(/^(.*:\/\/[^\/]+\/.*)@/);
    
      fixedURL && (url = url.substring(0, fixedURL[1].length) + url.substring(fixedURL[1].length).replace(/@/g, "%40"));
    

It looks like:

* fidexURL is whatever is after :// and up until the very last @ (greediness)

* the second line fixedURL && is going to complete if fixedURL is not undefined

* url = this fixedURL, then the rest of it where @ was replaced by %40

so basically, entering
[http://avlidienbrunn.se/@twitter.com/@hehe.php](http://avlidienbrunn.se/@twitter.com/@hehe.php)
will give

url = avlidienbrunn.se/@twitter.com/%40hehe.php

if I understand correctly. What happens after?

EDIT: it must be that the last [^/.]* before @ is taken as the domain name.
But why splitting the URL before a @ sign? I'm confused

------
danr4
Only one person mentioned it, so I'll pitch in - Dashlane [1] is a great
password manager, and it's communication with their customers is top notch
(customer service and security wise [1]). Speaking as a humble premium user
which thinks they don't get enough credit.

[1] [https://www.dashlane.com/download/Dashlane-Security-
Whitepap...](https://www.dashlane.com/download/Dashlane-Security-
Whitepaper-V2.8.pdf)

~~~
cheald
Last time I looked at Dashlane, they didn't support Linux or ChromeOS, both of
which are dealbreakers for me. Has that changed?

------
pdxpatzer
I am using PasswordSafe ( pwsafe.org ) and Dropbox to sync to the cloud. I do
not use autofill, nor I asked my browser to manage my passwords. There are a
mix of opensource and commercial implementation covering all platforms (iOS,
Android and what not). PasswordSafe has also been audited.

Why isn't PasswordSafe more popular ? What do other password managers have
that Password Safe does not ?

~~~
janvdberg
I do pretty much the same thing (but I keep pwsafe in version control). Great
tool.

~~~
fletchowns
I do the same. I've been using Password Safe for a long time and will continue
to do so, big fan of it!

------
archangel11235
The link says that the issue has been resolved, but does it not mean that
before the fix, passwords could have been leaked? If so, should one be
updating all their stored passwords? I'm not sure if this has been discussed
in the comments here. There are 342 comments at this time; haven't read all of
them.

------
PeterWhittaker
From TFA: _Note: This issue has been already been resolved and pushed to the
Lastpass users_.

The open questions are a) how long the flaw existed prior to being fixed and
b) whether attackers were able to exploit the flaw.

~~~
Springtime
There's also the issue of users being stuck on older versions of the addon.

Update: Looks like LastPass has made a blog regarding the exploit and have
stated v3 of the addon is not affected [1]. Would be nice to have further
clarification of the differences between v3 and v4 with regard to this.

[1] [https://blog.lastpass.com/2016/07/lastpass-security-
updates....](https://blog.lastpass.com/2016/07/lastpass-security-
updates.html/)

------
dkopi
Seems like the fan is about to get hit again:

[http://www.zdnet.com/article/lastpass-zero-day-
vulnerability...](http://www.zdnet.com/article/lastpass-zero-day-
vulnerability-remotely-compromises-user-accounts/)

------
pmarreck
[https://en.wikipedia.org/wiki/Single_point_of_failure](https://en.wikipedia.org/wiki/Single_point_of_failure)

~~~
deviate_X
the elephant in the room,yes : with these master-password schemes, why does
this get so little comment

~~~
pmarreck
I don't know. I certainly notice it

------
mohsinr
LastPass user here, thanks for getting this fixed. For any other bug/attack
like this in future, I suggest we uncheck this option: "Automatically Fill
Login Information" in preferences tab. Will this would have helped in case of
this attack? Or information still would have been leaked?

------
tombert
I never fully trusted any centralized password managers. Since I'm a paranoid
goober, I've ended up dumping LastPass and using the Unix "pass" tool.

Anyway, I'm glad that LastPass has resolved this; last thing I want in the
news is another big password breach.

~~~
ronnier
I do the same. I wrote up a wiki on how I use it:

[http://ronnie.me/store-encrypted-passwords-in-an-
encrypted-f...](http://ronnie.me/store-encrypted-passwords-in-an-encrypted-
filesystem-with-encfs-and-pass)

The issue I had with 'pass' was that it leaked info via the file names, but I
found a nice way around that.

------
pbininda
If I read this article correctly, the headline should actually be: How I made
LastPass give me all MY passwords

Update: after a few answers to my badly thought through comment, I now feel
enlightened. The attack scenario is a malicious web site which can gobble up
my passwords. Thanks

~~~
viraptor
This is just a PoC. Now imagine that the author instead:

1\. Writes up that post.

2\. Inserts an iframe in the post, which enumerates known sites. (hidden out
of view with css tricks)

3\. Instead of alerting on screen, sends the results back to their server.

4\. Submits to HN.

~~~
maehwasu
It's also REALLY easy to deliver that malicious site through web ads,
especially background pops.

------
paulmd
Honestly you should not be running a password manager that directly ties into
your browser. Period. It's an unnecessary attack surface on a high-value
target.

Running as a separate application outside the browser is 95% as easy thanks to
auto-type.

------
JustUhThought
Given LastPass has pretty much one job to do, protect your passwords, I feel
they should refund subscribers' money (a month or several months) everytime
it's shown they haven't done their job. It's gotten to the point of being
ridiculous how often I've come to HN and seen some new LastPass exploit. Once
your password is compromised you could lose everything up till that point in
time which was protected by that password. All your money in your bank
account. All your photos in the cloud. The confidentiality of your IP. The
secrecy of something in your personal life. In other words, it is
accumulative. So really, if due to poor engineering on LastPass's behalf, if
you loose it all at any point, you've really only been investing in a time
bomb. You're making monthly investments in something growning more valuable
each day until the day arrrives at which the value could drop to zero. Or
worse, drop to zero and cost you. But LastPass seems to treat security issues
as non-accumulative costs. Because for them, it isn't accumulative. They keep
collecting subscription fees, adding new features, advertising to reach new
customers, and maintaining a fundamentally broken product.

------
dkersten
Its been recommended (at least as long as I've been using Lastpass, so a few
years) that you keep autofill disabled, for exactly the reason mentioned in
the article.

 _" Also, this would not work if multi factor authentication was on, so you
should probably enable that as well."_

If you have something as important as a password manager (ie something that
holds the keys to ... everything), then MFA is a must. If you use LastPass
without MFA, then you're probably asking for trouble.

------
mmaunder
Tavis Ormandy tweeted yesterday that he found something:

[https://twitter.com/taviso/status/758143119409885185](https://twitter.com/taviso/status/758143119409885185)

Tavis has made quite a name for himself lately by going after AV vendors with
no mercy. So when he tweeted, the community sat up and took notice. (Our own
Slack was busy with discussion about this today)

Mathias, author of this post replied to Tavis with this:

[https://twitter.com/avlidienbrunn/status/758232557829914624](https://twitter.com/avlidienbrunn/status/758232557829914624)

The fix for the detectify exploit has already been pushed to users, so I'm
guessing they were holding onto this public disclosure but Tavis putting his
sights on lastpass too caused them to move the schedule up a little.

And the exploit from Tavis from 4 hours ago:

[https://bugs.chromium.org/p/project-
zero/issues/detail?id=88...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=884)

------
sergioisidoro
Last pass also has a flaw on 2Fa. They cache local copies of the encrypted
files, and the auto-fill populates the fields after password, before promoting
2fa.

It does erase the fields and promoted 2fa, but passwords are available
briefly.

I Sent a ticket to their supportthey, they acknowledged the issue and just
asked me to disable local cache... (Chrome extension)

~~~
niij
I've received nothing but disregard from their terrible support as well.

------
artursapek
I wonder if it would be possible to use window.history.replaceState to do this
after the page loads - eg, not having to link the user directly to
www.badsite.com/@twitter.com. A link to www.badsite.com by itself wouldn't
even look remotely suspicious.

You could even use replaceState to change it back immediately.

------
EGreg
I would say password reuse can be pretty good! Simply have your own rule such
as "letters 2 and 5 of the domain name" and combine those with your reusable
password.

In fact, I'd go further and say that you can do this with your login name. So
for example:

myemail+by@gmail.com for eBaY

This also helps mitigate those attacks where the attacker actually contacts
support and socially engineers them into giving all your info and even
stealing your account:

[https://medium.com/@espringe/amazon-s-customer-service-
backd...](https://medium.com/@espringe/amazon-s-customer-service-backdoor-
be375b3428c4#.xnxfahqib)

If you are hosting with AWS you should really consider doing that

[http://www.techinsider.io/hacker-social-
engineer-2016-2](http://www.techinsider.io/hacker-social-engineer-2016-2)

------
Christofer
Enpass is the best alternative for LastPass. I switched over from LastPass a
few months ago.

First I decided 1Password to replace LastPass, but it puts a lot of weight on
my pockets as it's very expensive. Then I encounter Enpass. It's a really good
password manager. What I like about Enpass is that it saves database locally
on my device not on their server and gives the desktop app for free.

It's worth to try and it hardly takes a few minutes to move all your LastPass
database into into Enpass.
[https://www.youtube.com/watch?v=Fn69hHur3Jo](https://www.youtube.com/watch?v=Fn69hHur3Jo)

------
lyonlim
If autofill is potentially so dangerous, and in this instance, the
prerequisite setting for this to work, why should it even be a feature?

People who enable it might not understand the repercussions.

I use 1Password and always invoke a shortcut to fill in my credentials.

~~~
viraptor
It's a feature. It's got a bug. The logic for your conclusion is valid, but
not practical.

Try this: Cars are dangerous. Why do they even exist? People who drive might
not understand the repercussions.

If 1password has the same functionality, it may contain a similar
vulnerability, whether you're expected to use a keyboard shortcut or not.

------
cdecker
Now I feed kind of smug about my Yubikey + passwordstore setup, plain GPG wins
again :-)

------
giuscri
Could someone explain me better the posted code that was vulnerable? I don't
understand it. What's the returned value?, what is URL and url?, why the
extension is expecting there must be a @ inside the url?

Thanks! :-)

~~~
edent
Very simply, I have a password stored for "login.example.com". LastPass knows
that companies like to change URLs - so next week it might be
"userlogin.example.com" or "secure.example.com/login" or
"www2.uk.vpn1.example.com" etc.

Essentially, LastPass made the mistake of writing code which said "If you see
`example.com` _anywhere_ in the URL - assume that you're on the right site.

LastPass will allow you to automatically fill in the username and password as
soon as you visit a site (I think this is an optional feature).

An attacker convinces you to visit "badsite.wtf/@example.com/". LastPass sees
the "example.com" and autofills the password field. The site has some
JavaScript to detect the filled in details - and steals them.

~~~
giuscri
Ok, when is ever used a @ in the middle of url? I've never seen it.

Also, what's the return value of the funcion?, and why are there 2 variable
named URL?

~~~
nchelluri
[http://user:password@example.com](http://user:password@example.com) is valid
syntax to supply u/p. Also, I suspect uri is first used up above in code we're
not shown.

------
neuroid
The issue mentioned in the blog post was fixed over a year ago [1]. However,
the issue reported by Tavis Ormandy [2] is new.

[1]: [https://blog.lastpass.com/2016/07/lastpass-security-
updates....](https://blog.lastpass.com/2016/07/lastpass-security-
updates.html/)

[2]: [https://bugs.chromium.org/p/project-
zero/issues/detail?id=88...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=884)

------
necessity
>They are still much better than the alternative (password reuse).

I'm not sure if it is, bugs like that are a serious threat. Personally I use
the same (long) password for every website, except one of the characters which
I replace by the website's first letter. One could think of similar, more
sophisticated schemes of password reuse that yield a slightly different
password for each website.

It would be even better if websites started using a public key authentication
system, though.

~~~
clay_to_n
Your "algorithm" is far less secure than using unique secure passwords through
a PW manager. If someone got access to 2 (maybe 1) of your passwords, they
would have all your passwords.

~~~
necessity
I can see that if the same attacker managed to get access to two of my
passwords and was particularly interested in me, but how likely is that
compared to an exploit on a password manager? Besides, I change all my
passwords twice a year.

------
tedmiston
There's been discussion in subthreads about why sandboxed browser extensions
are more protected from a malicious page hijacking parsing the URL.

It's easy to forget that sandboxed extensions don't exist yet in iOS (as of
9.3.3), and sometimes we still have to use bookmarklets.

As far as I know, bookmarklets aren't afforded any level of sandboxing type
protection. I wonder if a malicious page could intervene like that.

------
cyphar
Can we also discuss the fact that LastPass's two factor authentication is
clearly done client-side (if you already have logged in on a machine, then you
can fill in a login _before_ it asks for your two factor authentication
token). This is ridiculous. I need to switch to something else, is there a
browser plugin for free software password managers like KeePassX?

------
diziet
To my best knowledge LastPass comes with Autofill disabled by default on at
least Chrome (or I was paranoid enough to turn it off myself)

~~~
serf
it's a suggested default by the LP installer to disable whatever browsers'
built-in password manager.

~~~
niij
This post is exploiting a vulnerability in LastPass auto fill, not the
browser's auto fill.

------
DonHopkins
He deserved a whole lot more than $1000 for discovering and reporting such a
huge, idiotic security hole that should have never happened in the first
place, and it should come out of the salary of whoever caused it by indulging
their own laziness and convenience by abusing regular expressions so
carelessly and casually.

~~~
mankyd
> and it should come out of the salary of whoever caused it by indulging their
> own laziness and convenience by abusing regular expressions so carelessly
> and casually.

No. People make mistakes. Honest, unintentional, well-meaning mistakes. Don't
punish individuals for being human. Help them learn from them.

Don't make individuals afraid to do their job.

Should the _organization_ be punished? Should they pay more than $1000? That's
well worth discussing.

~~~
DonHopkins
So do you believe that a patient shouldn't be able to sue their doctor who
took a shortcut that caused them harm?

Some people work in fields where there's an extremely high cost to making
mistakes, and whose customers trust them to be careful and meticulous. Those
people are paid to be more careful than your average code monkey who churns
out regular expressions to save time instead of carefully researching the
problem, performing code reviews, and using standard well tested libraries to
parse complex but precisely documented standards like html and urls.
Developing a browser plug-in to manage passwords is one of them.

Some people, when confronted with a problem, think "I know, I'll use regular
expressions." Now they have two problems. -JWZ

~~~
mankyd
I seriously doubt this engineer was operating without code review, test
infrastructure, and other safety checks in place. They aren't solely
responsible.

If they don't have those types of checks in place, that's the fault of the
company.

If someone want's to sue over this, then sure, sue the individual (and the
company). But as a manager in company, I would not not punish the individual.
I would have them conduct a thorough post mortem and look for ways to avoid
problems like this in the future. People do learn from their mistakes and that
is valuable.

------
raverbashing
Was this an issue with the browser extension?

How (and how often) are updates pushed to the client?

~~~
viraptor
Yes, at least the Chrome one.

They're pushed via Chrome's extension store. Definitely at browser startup,
but otherwise periodically every 5 hours (by default)

------
nxzero
Bounties for security should be valued by an independent party.

------
cheald
Turn off autofill. Takes you 2 clicks to fill things in when you need to, and
you're sure that you're only providing credentials when you mean to.

------
cyberpanther
I'm a LastPass user but not really in love with it. If I were to switch, which
is best and WHY? I need it to support chrome and Android.

~~~
ctulek
I like 1Password. They were expensive and required separate licenses for
desktop and mobile when I bought. I don't know the current pricing model.

They have a good product, nice blog articles explaining various technical
decisions they made, and a fast customer support in terms of listening
feedback.

~~~
lyonlim
Same here. I researched quite a bit before settling on 1Password. I bought
separate licenses for all my devices across Mac and Windows, Android and iOS.

Beware though..their Android app does not support multiple vaults. And their
Windows client is really ugly. Their iOS and Mac apps are very refined
though..and I know the founder is trying to close this feature gap across
platforms.

They seem to be moving towards subscription licenses with Teams and Family
though...which do not require separate licenses for different platforms.

~~~
cyberpanther
I really like they have family pricing, even if I just get my wife on the
subscription.

------
kmiroslav
I don't quite follow. The author says that by entering the URL
"[http://avlidienbrunn.se/@twitter.com/@hehe.php"](http://avlidienbrunn.se/@twitter.com/@hehe.php"),
the extension is fooled into autofilling as if the browser was on twitter.com.

What's the difference with simply going to
"[http://twitter.com"](http://twitter.com")?

This looks more like a bug than a vulnerability, what am I missing?

~~~
rietta
A bug that tricks the secure password management tool into revealing your
Twitter password to a website that is not Twitter! That's a pretty major
security vulnerability due to a bug in URL parsing.

~~~
kmiroslav
But the information is not sent to the server, it's simply pasted in the text
field.

~~~
tronje
Yes, but some JavaScript can detect that the text field has been filled, and
then send the information back to the attacker's server. An (innocent) example
of this is when you type something into Google's search field, and you already
see suggestions, even though you haven't clicked anywhere or hit Enter yet.

------
thulebag
They wouldn't give me a bug bounty for the chrome plugin bug I found.

Remote JavaScript could trigger the export all passwords feature...

------
Canada
Does this attack still work if "Automatically fill login information" was
disabled in preferences?

~~~
tmikaeld
No it does not and i think this should be the standard setting.

------
gohrt
$1000 is a stingy payout for a bug that undermines the reason for the
product's existence.

------
ryanlm
Is someone going to lose their job over this?

