LastPass security hole (cross site scripting)

[Logos]

this is just a copy/paste of a message I just posted on Avast forums, after reading a few reports. Not sure if all this has been mentioned here already... anyway:

lastpass cross scripting vulnerability revealed:
http://www.theregister.co.uk/2011/03/01 ... e_xss_bug/
https://grepular.com/LastPass_Vulnerabi ... nt_Details

forum thread:
http://forums.lastpass.com/viewtopic.php?f=12&t=60559

lastpass response:
http://blog.lastpass.com/2011/02/cross- ... ility.html
http://blog.lastpass.com/2011/03/conten ... ented.html

... I guess - if we don't take LP recent fixes into account - people using FF NoScript on any FF version or simply using FF4 (CSP implementation https://wiki.mozilla.org/Security/CSP/Specification ) are protected.

[Giorgio Maone]

... I guess - if we don't take LP recent fixes into account - people using FF NoScript on any FF version or simply using FF4 (CSP implementation https://wiki.mozilla.org/Security/CSP/Specification ) are protected.

CSP cannot help, unless the site developers have carefully deployed a restrictive policy.
At this moment no site (except, maybe, some Mozilla properties, as an experiment) do.

NoScript's XSS filter, on the other hand, works no matter how skilled/informed/up-to-date the site owners are

[Logos]

okay thanks for the feedback, I had no doubt that NS would be the ultimate protection against such attacks

ps: on a side note for those reading this thread, I wanted to add that obviously the issue (XSS) may occur exclusively when accessing your lastpass account directly on lastpass website. The use itself of the lastpass plugin represents no problem whatsoever.

[Giorgio Maone]

ps: on a side note for those reading this thread, I wanted to add that obviously the issue (XSS) may occur exclusively when accessing your lastpass account directly on lastpass website. The use itself of the lastpass plugin represents no problem whatsoever.

Not sure about it, where did you read this?
AFAIK, the LastPass add-on keeps an authenticated session with the website, acting as a logged-in user.
If it works this way (very likely), a XSS attack can impersonate you anyway, even if you don't visit the LastPass web site, because any HTTP request sends the authentication tokens.

[Logos]

ps: on a side note for those reading this thread, I wanted to add that obviously the issue (XSS) may occur exclusively when accessing your lastpass account directly on lastpass website. The use itself of the lastpass plugin represents no problem whatsoever.

Not sure about it, where did you read this?
AFAIK, the LastPass add-on keeps an authenticated session with the website, acting as a logged-in user.
If it works this way (very likely), a XSS attack can impersonate you anyway, even if you don't visit the LastPass web site, because any HTTP request sends the authentication tokens.

here, was linked to on their forums by a user, but actually they don't they say much
https://lastpass.com/whylastpass_technology.php

LastPass is an evolved Host Proof hosted solution, which avoids the stated weakness of vulnerability to XSS as long as you're using the add-on

... don't know, I admit I don't know much myself about how XSS attacks are launched, i.e. exactly in which conditions. Thought so far that browsing to the actual site was necessary, as opposed to login in directly. Two things: the guy who demonstrated the attack said it was possible with no lp plugin installed, meaning that he reached the web site first without being logged in already. When I do that, ie go to my account on last pass site, I'm already logged in.

Anyway from what you're saying this doesn't make any difference, as long as in any case there's an http request sending the same authentication tokens in the exact same way. Okay I'm not a specialist and I should probably read more stuff about XSS, it's just hard to imagine how a third party could interfere when I log in to LP server from the plugin. One thing I need to know is how the code injection is done to allow XSS, because it doesn't seem that a targeted site has to be hacked at all, just the user's client is affected... Also, what happens if I never log off? thanks.

ps: also, did you read this... http://blog.lastpass.com/2011/02/cross- ... ility.html

[Giorgio Maone]

When I do that, ie go to my account on last pass site, I'm already logged in.

This means that I was right: the plugin logins for you, therefore if you've got it you're always logged in and always vulnerable.

Also, what happens if I never log off?

You're always vulnerable (see above).

ps: also, did you read this... http://blog.lastpass.com/2011/02/cross- ... ility.html

Yes, they forgot to mention that HSTS is implemented by NoScript (actually, it's been the first implementation) and thus work on Fx < 4 too, and that NoScript users were protected against this attack.

[Logos]

okay this is all very interesting, I guess you won't mind if I link to this thread from lastpass forums. One big issue as you can imagine is that many users, and this includes me, switched to LastPass out of frustration with Google Chrome password manager... no need to go into the details here it's not good, no encryption at UI level (i.e. passwords are still encrypted at file level but shown in clear in the UI), many sites credential fields are badly detected etc... so the solution was lastpass, not mentioning its multi-browser functionality. And the thing is that as far as I know, there's no anti-XSS protection in Chrome. There use to be a so called "XSS auditor" option at experimental stage and they removed it. I'm not gonna say again that NoScript doesn't exist for Chrome, that the existing sort of replacement, "NotScripts", hasn't been updated since September last year... I guess the guy gave up since there was no evolution in Google API to allow any improvement of his extension.

So here we are, no XSS protection in Chrome, and again that's where a majority of new LP users are, in Chrome. On a side note, as you probably know, Wladimir Palant, AB+ developer, after saying that he'd never do it, finally accepted to take care of Chrome (through AdThwart now renamed)... doesn't mean of course that much has changed in the process of blocking ads in Chrome so far (efficiency compared to what's possible in Firefox), and doesn't mean that more doors are opened for NS to be implemented in Chrome.

ps: a worse case lol, lastpass is usable as an iPhone app.Safari there wouldn't allow the implementation of any script protection plugin anyway

edit: would you say that Google Chrome "SYNC" and Mozilla Firefox4 "SYNC" are vulnerable too? I guess yes...

[Tom T.]

Suggestion: I've been using Password Safe for a long time. It's self-contained -- no connection to a remote server. All is stored locally in your machine, always encrypted, never in plain text, and in fact you can put it all on a USB flash drive and plug it into any Windows machine and use it without leaving traces on the host computer. The actual encrypted password file for my current 40+ entries is about 14k, so can be backed up frequently to any medium. You don't need to back up the entire program. If your machine crashes, new hard drive, whatever, just d/l PWS again and move the backup passwordsafe file to the new installation.

Will auto-browse to the login URL with one click; will auto-enter username, password, and "enter" with one click. Stores notes, like the silly "challenge question" answers, also encrypted. Supports sandboxed browsers.

Being totally self-contained, I'd think this would eliminate all possibility of an XSS vuln in your password manager. I agree about the weakness of browser pw-managers, and *also* of any solution involving a third-party web site. Total freeware, no nag screen. Only a few MB of disk space or flash drive space, and only a few MB of RAM. *No* bandwidth overhead.

Also, if your machine is stolen, or you have it on a flash drive and that's stolen. so long as you've chosen a long and strong master password, no one can open your safe - brute force cracking would take forever.

[Tom T.]

I see that the discoverer of the vulnerability feels the same way I do. (second link in OP, https://grepular.com/LastPass_Vulnerabi ... nt_Details):

Perhaps it's just inherently dangerous to outsource your password management to a third party.

He should certainly know.

[therube]

Oops. Heh.

As well as fixing the XSS, they need to start using HSTS too.

Wikipedia (Chromium) states that the do?

[dhouwn]

Now they do. Now they do…

[Tom T.]

@ dhouwn: LOL! (but sad -- locking the barn after the horse has already escaped.)

Just some food for thought...

1) What if LastPass goes out of business?
2) Corrupt employee takes a bribe to do evil?
3) Disgruntled employee does evil to get revenge?
4) Innocent employee extorted by threats against family, etc.?
5) DOS attack knocks their servers offline for some number of hours, or worse?
6) Their servers go down due to hw or sw failure? How much redundancy do they have?
7) Power failure, hurricane/tornado/lightning/flood/earthquake/tsunami/fire? Blizzard prevents anyone from getting to work? etc. How much *off-site* full redundancy do they have? E. g., server in California crumbled by earthquake, is there one in London that can handle *all* of the load and has the info?
8) (make up your own - there must be plenty more)

Sure, these things can happen to *any* Web site. But when the service involved is the storage and retrieval of all of your user/pass to *every* other site that requires them...

Which is why when there is a choice between the cloud and home, I'm with Dorothy: "There's no place like home". -- meaning, the machine that I have under my personal physical control, including appropriate Internet security. (There's some sort of add-on that's supposed to stop a lot of that Internet junk from running on your computer, I think.)

I hope that those who use LastPass have all of their user/pass stored *on paper* in what they consider to be a safe location. (Is there anyone in your household whom you don't trust?) And electronically, but *not* on your computer. Perhaps a flash drive, CD, DVD, whatever, in which your U/P are stored in an encrypted TrueCrypt volume. Then, if one of these worst-case scenarios happens, you haven't lost it all.

As said, the Password Safe's small U/P file is easily backed up to any other medium, which could be carried or stored anywhere, and used on any other Win machine.

DISCLAIMER: The opinions expressed in this thread are my own personal opinions, and do not necessarily reflect the opinions of this forum, its Admin/Developer, or of any other person but myself. I have no connection to either LastPass or Password Safe, and don't know anyone associated with either product. These opinions were posted in the hope that they might be of some use to some users in making their password-management decisions, but said opinions come with no guarantees or warranties, express or implied, and this writer accepts no liability for anyone's use of this information. If you do not agree to these terms, do not use this information.

[dhouwn]

If this is going to be a thread about passport handling in general, here is how I roll: I generate a password for each domain based with a one-way algorithm fed with the domain (with TLD) + a master password, ie. like feeding "amazon.co.uk" concatenated with "f00&Bar123" to MD5 (and then base64ing it for compatibility). There are scripts that offer this as well like http://supergenpass.com/ (note, a site could get your master Pwd through the bookmarklet) or https://www.pwdhash.com/

[Tom T.]

If this is going to be a thread about passport handling in general, here is how I roll: I generate a password for each domain based with a one-way algorithm fed with the domain (with TLD) + a master password, ie. like feeding "amazon.co.uk" concatenated with "f00&Bar123" to MD5 (and then base64ing it for compatibility). There are scripts that offer this as well like http://supergenpass.com/ (note, a site could get your master Pwd through the bookmarklet) or https://www.pwdhash.com/

It *does* seem as though it's gone O/T to the OP, but after the trashing of LastPass's "security", I just wanted to offer a local-machine-based alternative that could never have the XSS or other issues. If continued, it might be moved to Forum Extras > Security.

Your way is interesting! it's probably beyond the reach of the average, non-tech-savvy home user, whereas the solution I like requires nothing more than the basic ability to use a computer -- icons, copy/paste, etc. It also contains its own crypto-strength random pw generator, which can be set to the requirements of various sites. E. g., length; some don't allow keyboard characters @#$%; hex-only, etc.

Without looking deeply into what you're doing. the note about sites getting the master through a bookmarklet is troubling. Also, while I'm not a cryptogeek by any means, I understand that it is dangerous to use the same key (your master pw) to encrypt multiple plaintexts, because it is subject to differential cryptanalysis. The attacker already knows the other part of the plaintext -- your domain name. By comparing various outputs, they can deduce your master pw.

As said, I'm not deeply into crypto, but you might try reading the linked article for a starter, and see if this is a threat to that method. I'd be interested either way, and if it's an unnecessary scare, advance apologies. Cheers.

[tlu]

Just some food for thought...

1) What if LastPass goes out of business?
2) Corrupt employee takes a bribe to do evil?
3) Disgruntled employee does evil to get revenge?
4) Innocent employee extorted by threats against family, etc.?
5) DOS attack knocks their servers offline for some number of hours, or worse?
6) Their servers go down due to hw or sw failure? How much redundancy do they have?
7) Power failure, hurricane/tornado/lightning/flood/earthquake/tsunami/fire? Blizzard prevents anyone from getting to work? etc. How much *off-site* full redundancy do they have? E. g., server in California crumbled by earthquake, is there one in London that can handle *all* of the load and has the info?
8) (make up your own - there must be plenty more)

Sure, these things can happen to *any* Web site. But when the service involved is the storage and retrieval of all of your user/pass to *every* other site that requires them...
...
I hope that those who use LastPass have all of their user/pass stored *on paper* in what they consider to be a safe location. (Is there anyone in your household whom you don't trust?) And electronically, but *not* on your computer. Perhaps a flash drive, CD, DVD, whatever, in which your U/P are stored in an encrypted TrueCrypt volume. Then, if one of these worst-case scenarios happens, you haven't lost it all.

As you've said yourself, this is going a bit OT. Nevertheless I want to clarify some things as you don't seem to be familiar with the Lastpass approach:
1. There is only encrypted data on the Lastpass servers. Encryption/decryption is done only on your computer.
2. Your data is also stored on your computer in encrypted form and can be copied to a USB stick or whatever.

Consequences:
1. If there is a data theft from their servers the thieves cannot use it unless you're master password is very weak and prone to a dictionary attack.
2. If the servers are offline or Lastpass is bankrupt you can still access the data on your harddisk via the plugin (but you can't change/add new data) - and you can still export it to, e.g. the Firefox password manager or to a csv file.

This is not meant to convince you. But I think it's obvious that most of the attacks/incidents you mentioned would come to nothing.