LastPass security hole (cross site scripting)

General discussion about the NoScript extension for Firefox
Logos
Junior Member
Posts: 43
Joined: Wed Oct 28, 2009 5:11 pm

LastPass security hole (cross site scripting)

Post by Logos » Wed Mar 02, 2011 1:14 pm

this is just a copy/paste of a message I just posted on Avast forums, after reading a few reports. Not sure if all this has been mentioned here already... anyway:

lastpass cross scripting vulnerability revealed:
http://www.theregister.co.uk/2011/03/01 ... e_xss_bug/
https://grepular.com/LastPass_Vulnerabi ... nt_Details

forum thread:
http://forums.lastpass.com/viewtopic.php?f=12&t=60559

lastpass response:
http://blog.lastpass.com/2011/02/cross- ... ility.html
http://blog.lastpass.com/2011/03/conten ... ented.html

... I guess - if we don't take LP recent fixes into account - people using FF NoScript on any FF version or simply using FF4 (CSP implementation https://wiki.mozilla.org/Security/CSP/Specification ) are protected.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b13pre) Gecko/20110228 Firefox/4.0b13pre

User avatar
Giorgio Maone
Site Admin
Posts: 8790
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: LastPass security hole (cross site scripting)

Post by Giorgio Maone » Thu Mar 03, 2011 9:36 am

Logos wrote:... I guess - if we don't take LP recent fixes into account - people using FF NoScript on any FF version or simply using FF4 (CSP implementation https://wiki.mozilla.org/Security/CSP/Specification ) are protected.

CSP cannot help, unless the site developers have carefully deployed a restrictive policy.
At this moment no site (except, maybe, some Mozilla properties, as an experiment) do.

NoScript's XSS filter, on the other hand, works no matter how skilled/informed/up-to-date the site owners are :)
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.14) Gecko/20110218 Firefox/3.6.14

Logos
Junior Member
Posts: 43
Joined: Wed Oct 28, 2009 5:11 pm

Re: LastPass security hole (cross site scripting)

Post by Logos » Thu Mar 03, 2011 9:41 am

okay thanks for the feedback, I had no doubt that NS would be the ultimate protection against such attacks ;)

ps: on a side note for those reading this thread, I wanted to add that obviously the issue (XSS) may occur exclusively when accessing your lastpass account directly on lastpass website. The use itself of the lastpass plugin represents no problem whatsoever.
Mozilla/5.0 (Windows; Windows NT 6.1) AppleWebKit/534.23 (KHTML, like Gecko) Chrome/11.0.686.1 Safari/534.23

User avatar
Giorgio Maone
Site Admin
Posts: 8790
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: LastPass security hole (cross site scripting)

Post by Giorgio Maone » Thu Mar 03, 2011 10:09 am

Logos wrote:ps: on a side note for those reading this thread, I wanted to add that obviously the issue (XSS) may occur exclusively when accessing your lastpass account directly on lastpass website. The use itself of the lastpass plugin represents no problem whatsoever.

Not sure about it, where did you read this?
AFAIK, the LastPass add-on keeps an authenticated session with the website, acting as a logged-in user.
If it works this way (very likely), a XSS attack can impersonate you anyway, even if you don't visit the LastPass web site, because any HTTP request sends the authentication tokens.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.14) Gecko/20110218 Firefox/3.6.14

Logos
Junior Member
Posts: 43
Joined: Wed Oct 28, 2009 5:11 pm

Re: LastPass security hole (cross site scripting)

Post by Logos » Thu Mar 03, 2011 10:41 am

Giorgio Maone wrote:
Logos wrote:ps: on a side note for those reading this thread, I wanted to add that obviously the issue (XSS) may occur exclusively when accessing your lastpass account directly on lastpass website. The use itself of the lastpass plugin represents no problem whatsoever.

Not sure about it, where did you read this?
AFAIK, the LastPass add-on keeps an authenticated session with the website, acting as a logged-in user.
If it works this way (very likely), a XSS attack can impersonate you anyway, even if you don't visit the LastPass web site, because any HTTP request sends the authentication tokens.


here, was linked to on their forums by a user, but actually they don't they say much :mrgreen:
https://lastpass.com/whylastpass_technology.php
LastPass is an evolved Host Proof hosted solution, which avoids the stated weakness of vulnerability to XSS as long as you're using the add-on


... don't know, I admit I don't know much myself about how XSS attacks are launched, i.e. exactly in which conditions. Thought so far that browsing to the actual site was necessary, as opposed to login in directly. Two things: the guy who demonstrated the attack said it was possible with no lp plugin installed, meaning that he reached the web site first without being logged in already. When I do that, ie go to my account on last pass site, I'm already logged in.

Anyway from what you're saying this doesn't make any difference, as long as in any case there's an http request sending the same authentication tokens in the exact same way. Okay I'm not a specialist and I should probably read more stuff about XSS, it's just hard to imagine how a third party could interfere when I log in to LP server from the plugin. One thing I need to know is how the code injection is done to allow XSS, because it doesn't seem that a targeted site has to be hacked at all, just the user's client is affected... Also, what happens if I never log off? thanks.

ps: also, did you read this... http://blog.lastpass.com/2011/02/cross- ... ility.html
Mozilla/5.0 (Windows; Windows NT 6.1) AppleWebKit/534.23 (KHTML, like Gecko) Chrome/11.0.686.1 Safari/534.23

User avatar
Giorgio Maone
Site Admin
Posts: 8790
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: LastPass security hole (cross site scripting)

Post by Giorgio Maone » Thu Mar 03, 2011 10:55 am

Logos wrote:When I do that, ie go to my account on last pass site, I'm already logged in.

This means that I was right: the plugin logins for you, therefore if you've got it you're always logged in and always vulnerable.

Logos wrote:Also, what happens if I never log off?

You're always vulnerable (see above).
Logos wrote:ps: also, did you read this... http://blog.lastpass.com/2011/02/cross- ... ility.html

Yes, they forgot to mention that HSTS is implemented by NoScript (actually, it's been the first implementation) and thus work on Fx < 4 too, and that NoScript users were protected against this attack.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.14) Gecko/20110218 Firefox/3.6.14

Logos
Junior Member
Posts: 43
Joined: Wed Oct 28, 2009 5:11 pm

Re: LastPass security hole (cross site scripting)

Post by Logos » Thu Mar 03, 2011 11:19 am

okay this is all very interesting, I guess you won't mind if I link to this thread from lastpass forums. One big issue as you can imagine is that many users, and this includes me, switched to LastPass out of frustration with Google Chrome password manager... no need to go into the details here it's not good, no encryption at UI level (i.e. passwords are still encrypted at file level but shown in clear in the UI), many sites credential fields are badly detected etc... so the solution was lastpass, not mentioning its multi-browser functionality. And the thing is that as far as I know, there's no anti-XSS protection in Chrome. There use to be a so called "XSS auditor" option at experimental stage and they removed it. I'm not gonna say again that NoScript doesn't exist for Chrome, that the existing sort of replacement, "NotScripts", hasn't been updated since September last year... I guess the guy gave up since there was no evolution in Google API to allow any improvement of his extension.

So here we are, no XSS protection in Chrome, and again that's where a majority of new LP users are, in Chrome. On a side note, as you probably know, Wladimir Palant, AB+ developer, after saying that he'd never do it, finally accepted to take care of Chrome (through AdThwart now renamed)... doesn't mean of course that much has changed in the process of blocking ads in Chrome so far (efficiency compared to what's possible in Firefox), and doesn't mean that more doors are opened for NS to be implemented in Chrome.

ps: a worse case lol, lastpass is usable as an iPhone app.Safari there wouldn't allow the implementation of any script protection plugin anyway :roll:

edit: would you say that Google Chrome "SYNC" and Mozilla Firefox4 "SYNC" are vulnerable too? I guess yes...
Mozilla/5.0 (Windows; Windows NT 6.1) AppleWebKit/534.23 (KHTML, like Gecko) Chrome/11.0.686.1 Safari/534.23

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: LastPass security hole (cross site scripting)

Post by Tom T. » Tue Mar 29, 2011 6:35 am

Suggestion: I've been using Password Safe for a long time. It's self-contained -- no connection to a remote server. All is stored locally in your machine, always encrypted, never in plain text, and in fact you can put it all on a USB flash drive and plug it into any Windows machine and use it without leaving traces on the host computer. The actual encrypted password file for my current 40+ entries is about 14k, so can be backed up frequently to any medium. You don't need to back up the entire program. If your machine crashes, new hard drive, whatever, just d/l PWS again and move the backup passwordsafe file to the new installation.

Will auto-browse to the login URL with one click; will auto-enter username, password, and "enter" with one click. Stores notes, like the silly "challenge question" answers, also encrypted. Supports sandboxed browsers.

Being totally self-contained, I'd think this would eliminate all possibility of an XSS vuln in your password manager. I agree about the weakness of browser pw-managers, and *also* of any solution involving a third-party web site. Total freeware, no nag screen. Only a few MB of disk space or flash drive space, and only a few MB of RAM. *No* bandwidth overhead.

Also, if your machine is stolen, or you have it on a flash drive and that's stolen. so long as you've chosen a long and strong master password, no one can open your safe - brute force cracking would take forever.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/3.6.15

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: LastPass security hole (cross site scripting)

Post by Tom T. » Wed Apr 13, 2011 11:19 pm

I see that the discoverer of the vulnerability feels the same way I do. (second link in OP, https://grepular.com/LastPass_Vulnerabi ... nt_Details):

Perhaps it's just inherently dangerous to outsource your password management to a third party.

He should certainly know. ;)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/3.6.15

User avatar
therube
Ambassador
Posts: 7528
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: LastPass security hole (cross site scripting)

Post by therube » Thu Apr 14, 2011 5:31 am

Oops. Heh.

As well as fixing the XSS, they need to start using HSTS too.


Wikipedia (Chromium) states that the do?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; rv:2.0b13pre) Gecko/20110305 Firefox/4.0b13pre SeaMonkey/2.1b3pre

dhouwn
Bug Buster
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

Re: LastPass security hole (cross site scripting)

Post by dhouwn » Thu Apr 14, 2011 6:47 pm

Now they do. Now they do…
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: LastPass security hole (cross site scripting)

Post by Tom T. » Fri Apr 15, 2011 8:41 am

@ dhouwn: LOL! (but sad -- locking the barn after the horse has already escaped.)

Just some food for thought...

1) What if LastPass goes out of business?
2) Corrupt employee takes a bribe to do evil?
3) Disgruntled employee does evil to get revenge?
4) Innocent employee extorted by threats against family, etc.?
5) DOS attack knocks their servers offline for some number of hours, or worse?
6) Their servers go down due to hw or sw failure? How much redundancy do they have?
7) Power failure, hurricane/tornado/lightning/flood/earthquake/tsunami/fire? Blizzard prevents anyone from getting to work? etc. How much *off-site* full redundancy do they have? E. g., server in California crumbled by earthquake, is there one in London that can handle *all* of the load and has the info?
8) (make up your own - there must be plenty more)

Sure, these things can happen to *any* Web site. But when the service involved is the storage and retrieval of all of your user/pass to *every* other site that requires them...

Which is why when there is a choice between the cloud and home, I'm with Dorothy: "There's no place like home". -- meaning, the machine that I have under my personal physical control, including appropriate Internet security. (There's some sort of add-on that's supposed to stop a lot of that Internet junk from running on your computer, I think.) ;)

I hope that those who use LastPass have all of their user/pass stored *on paper* in what they consider to be a safe location. (Is there anyone in your household whom you don't trust?) And electronically, but *not* on your computer. Perhaps a flash drive, CD, DVD, whatever, in which your U/P are stored in an encrypted TrueCrypt volume. Then, if one of these worst-case scenarios happens, you haven't lost it all.

As said, the Password Safe's small U/P file is easily backed up to any other medium, which could be carried or stored anywhere, and used on any other Win machine.

DISCLAIMER: The opinions expressed in this thread are my own personal opinions, and do not necessarily reflect the opinions of this forum, its Admin/Developer, or of any other person but myself. I have no connection to either LastPass or Password Safe, and don't know anyone associated with either product. These opinions were posted in the hope that they might be of some use to some users in making their password-management decisions, but said opinions come with no guarantees or warranties, express or implied, and this writer accepts no liability for anyone's use of this information. If you do not agree to these terms, do not use this information.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/3.6.15

dhouwn
Bug Buster
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

Re: LastPass security hole (cross site scripting)

Post by dhouwn » Fri Apr 15, 2011 1:12 pm

If this is going to be a thread about passport handling in general, here is how I roll: I generate a password for each domain based with a one-way algorithm fed with the domain (with TLD) + a master password, ie. like feeding "amazon.co.uk" concatenated with "f00&Bar123" to MD5 (and then base64ing it for compatibility). There are scripts that offer this as well like http://supergenpass.com/ (note, a site could get your master Pwd through the bookmarklet) or https://www.pwdhash.com/
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: LastPass security hole (cross site scripting)

Post by Tom T. » Sat Apr 16, 2011 9:45 am

dhouwn wrote:If this is going to be a thread about passport handling in general, here is how I roll: I generate a password for each domain based with a one-way algorithm fed with the domain (with TLD) + a master password, ie. like feeding "amazon.co.uk" concatenated with "f00&Bar123" to MD5 (and then base64ing it for compatibility). There are scripts that offer this as well like http://supergenpass.com/ (note, a site could get your master Pwd through the bookmarklet) or https://www.pwdhash.com/

It *does* seem as though it's gone O/T to the OP, but after the trashing of LastPass's "security", I just wanted to offer a local-machine-based alternative that could never have the XSS or other issues. If continued, it might be moved to Forum Extras > Security.

Your way is interesting! it's probably beyond the reach of the average, non-tech-savvy home user, whereas the solution I like requires nothing more than the basic ability to use a computer -- icons, copy/paste, etc. It also contains its own crypto-strength random pw generator, which can be set to the requirements of various sites. E. g., length; some don't allow keyboard characters @#$%; hex-only, etc.

Without looking deeply into what you're doing. the note about sites getting the master through a bookmarklet is troubling. Also, while I'm not a cryptogeek by any means, I understand that it is dangerous to use the same key (your master pw) to encrypt multiple plaintexts, because it is subject to differential cryptanalysis. The attacker already knows the other part of the plaintext -- your domain name. By comparing various outputs, they can deduce your master pw.

As said, I'm not deeply into crypto, but you might try reading the linked article for a starter, and see if this is a threat to that method. I'd be interested either way, and if it's an unnecessary scare, advance apologies. Cheers.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/3.6.15

tlu
Senior Member
Posts: 129
Joined: Fri Jun 05, 2009 8:01 pm

Re: LastPass security hole (cross site scripting)

Post by tlu » Tue May 10, 2011 4:02 pm

Tom T. wrote:Just some food for thought...

1) What if LastPass goes out of business?
2) Corrupt employee takes a bribe to do evil?
3) Disgruntled employee does evil to get revenge?
4) Innocent employee extorted by threats against family, etc.?
5) DOS attack knocks their servers offline for some number of hours, or worse?
6) Their servers go down due to hw or sw failure? How much redundancy do they have?
7) Power failure, hurricane/tornado/lightning/flood/earthquake/tsunami/fire? Blizzard prevents anyone from getting to work? etc. How much *off-site* full redundancy do they have? E. g., server in California crumbled by earthquake, is there one in London that can handle *all* of the load and has the info?
8) (make up your own - there must be plenty more)

Sure, these things can happen to *any* Web site. But when the service involved is the storage and retrieval of all of your user/pass to *every* other site that requires them...
...
I hope that those who use LastPass have all of their user/pass stored *on paper* in what they consider to be a safe location. (Is there anyone in your household whom you don't trust?) And electronically, but *not* on your computer. Perhaps a flash drive, CD, DVD, whatever, in which your U/P are stored in an encrypted TrueCrypt volume. Then, if one of these worst-case scenarios happens, you haven't lost it all.

As you've said yourself, this is going a bit OT. Nevertheless I want to clarify some things as you don't seem to be familiar with the Lastpass approach:
1. There is only encrypted data on the Lastpass servers. Encryption/decryption is done only on your computer.
2. Your data is also stored on your computer in encrypted form and can be copied to a USB stick or whatever.

Consequences:
1. If there is a data theft from their servers the thieves cannot use it unless you're master password is very weak and prone to a dictionary attack.
2. If the servers are offline or Lastpass is bankrupt you can still access the data on your harddisk via the plugin (but you can't change/add new data) - and you can still export it to, e.g. the Firefox password manager or to a csv file.

This is not meant to convince you. But I think it's obvious that most of the attacks/incidents you mentioned would come to nothing.
Mozilla/5.0 (X11; Linux x86_64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

Post Reply