Suspected PayPal Hackers Seek Deal To Stay Out Of Prison
Did A Google Earth Mistake Cause A Couple's Brutal Murder?
LastPass XSS vulnerability found, website and browser add-ons affected (updated)
Mike Cardwell, the Stallmanite who recently discovered a fantastically covert way of working out which Web services you're currently logged in to, has found a nasty XSS vulnerability in the LastPass password manager. The cross-site scripting (XSS) vulnerability not only allows nefarious types to see which sites you've recently logged in to, but it also provides access your email address and password reminder.First off: don't worry. Cardwell reported the vulnerability to LastPass before writing it up, and it has since been fixed. We're not sure if the fix has propagated out to the Chrome and Firefox add-ons -- but we have to assume that Cardwell wouldn't have written his blog post if the vulnerability still existed.
With that said, you should still be more than a little concerned about the fundamental architecture of LastPass as an in-the-cloud password manager. While this cross-site scripting attack was fixed quickly, Cardwell thinks a similar attack "could easily happen again in future."
Beyond being susceptible to XSS attacks, LastPass doesn't even use HSTS, which means that man-in-the-middle (MITM) attacks are also rather easy to pull off.
It's very hard for us to recommend LastPass as a password manager when further vulnerabilities will almost certainly be found. For the time being, you should check out KeePass, an offline password manager that, for now, is a lot more secure than LastPass.
Update: LastPass has now implemented HSTS and a few other features to make their website and browser add-ons a lot harder to attack in the future. Hooray!
[Thanks to Brad for the tip!]
Comments
33
Subscribe to commentsFletchFeb 27th 2011 10:57AM
Please update this article http://downloadsquad.switched.com/2011/02/22/10-chrome-extensions-and-web-apps-for-new-users/ to reflect these findings.
I just installed LastPass based on the former article.
thanks
Sebastian AnthonyFeb 27th 2011 11:03AM
@Fletch Sure! I was actually just about to :)
(It's done now.)
GriffFeb 27th 2011 12:50PM
So...what about us Ubuntu Linux OS types that keepass doesn't install for?
SilverWaveFeb 27th 2011 4:13PM
@Griff
For the serious stuff "revelation" does the job.
For day to day I stuff Firefox with Master password enabled.
DaveFeb 27th 2011 5:34PM
@Griff
http://www.keepassx.org/
NeoprimalFeb 27th 2011 12:55PM
I don't think it's as bad as you're making it sound. I mean, yes...it's bad that there's a flaw but I don't think there's too much of a reason to recommend an offline pw manager since it takes a few mins to crack one of those if you were to use it in a manner similar to lastpass, ie: not just at your home.
So for example, you could have a laptop with lastpass or you could carry a usb key with keepass and all your passwords, right there in your pocket or bag.
Your real comparison here would be comparing the likelihood of someone targeting lastpass using a website or some kind of viral/malware attack vs. someone stealing your usb key OR you just losing your usb key.
In Lastpass' case, even though the thief would have some very sensitive information - they still wouldn't be able to get into any accounts without your passwords, and those are safe at least, as long as your reminder isn't the password itself or a dead-on clue.
In terms of your USB key, unless you're at LEAST semi knowledgeable to know to use a tool like truecrypt or using a truly secure key like ironkey then "your passwords are belong to them"....so in essence, it's 6 of 1, 1/2 dozen of the other really and I think I'd prefer Lastpass in the end.
I'm glad for the read of the article, but I don't think it's necessary to recommend other pw programs (especially offline ones) over lastpass for this reason.
Sebastian AnthonyFeb 27th 2011 1:57PM
@Neoprimal Yeah, don't get me wrong -- LastPass is still secure. Or more secure than hand-typing the same password for 10+ sites.
But for a company that _must_ put security first, it seems odd that a fairly simple XSS attack works -- and if something like this works, it's almost guaranteed that there's more holes, and perhaps a way to get at the passwords, too.
Thanks for the input!
SilverWaveFeb 27th 2011 4:21PM
@Neoprimal
>provides access your email address and password reminder.
Ouch!
I think you are wrong... you are putting all your eggs in one basket with this online program so they had better be whiter that white when it comes to security.
3tearFeb 27th 2011 2:39PM
@Sebastian Anthony That was my thinking too. You would have thought they would have gone through their site and done these kind of tests - or at least hired one of those white-hat hacker companies that checks for website security vulnerabilities.
UsulFeb 27th 2011 2:10PM
The mocking incredulity of saying that LastPass "doesn't even support HSTS" is irresponsible at best. HSTS was submitted less than a year ago and has undergone revisions since. Its also not supported in a variety of situations.
Unless you are a security expert who can speak in-depth about the extensions vulnerability to man-in-the-middle attacks, I suggest you leave the FUD at the door.
As for me, this is the last straw. DLS is off my newsfeeds once and for all.
Sebastian AnthonyFeb 27th 2011 2:42PM
@Usul Sorry you feel that way. (Do you see browsers holding off on implementing nascent HTML5 standards?)
I hope we can still be friends.
SpexFeb 27th 2011 2:47PM
@Usul Might be following your lead soon. Most of Sebastian's articles are written with sensationalized stories and misleading headlines.
Here it says: "LastPass XSS vulnerability found, website and browser add-ons affected"
Then the articles goes on with a paragraph about what this vulnerability can do as if it were still active only to mention that it's been fixed and isn't and open vulnerability anymore.
Sebastian AnthonyFeb 27th 2011 3:06PM
@3tear Well, maybe they'll hire Cardwell, the guy behind this vulnerability :)
SpexFeb 27th 2011 2:49PM
Wow. Naturally my typos would creep out when I'm trying to make a point.
Sebastian AnthonyFeb 27th 2011 3:06PM
@Spex I actually did think of other titles, but short of turning it into a 3-line monster (which we're not really allowed to do), this was the best I could do.
How would you have titled it?
3tearFeb 27th 2011 3:27PM
@Sebastian Anthony Maybe "LastPass XSS vulnerability found (& patched), website and browser add-ons affected"
MxxConFeb 28th 2011 12:09AM
how about you title the story similarly how the offical blog did it?
http://blog.lastpass.com/2011/02/cross-site-scripting-vulnerability.html
"Cross Site Scripting vulnerability reported, fixed"
Is your goal to post a sensational article or inform and provide a valuable service to your readers?
Sebastian AnthonyFeb 27th 2011 3:30PM
@3tear Yea, but then the "website and add-ons affected" bit seems a bit pointless! And "LastPass vulnerability found and fixed" is... not really a story.
The story is that LastPass has vulnerabilities. At least, that's what I think the story is :)
jkFeb 27th 2011 3:54PM
@Sebastian Anthony If "LastPass vulnerability found and fixed" is not a story, perhaps the content of it wasn't either, since that's all it contained bar some fear mongering.
The story isn't that LastPass has vulnerabilities, but rather it _had_ a vulnerability. Speculating that further XSS attacks exist is just that, speculation. There's a difference between what you know, what you think you know and what is fact. The same way there's a difference between the man on the street, a blogger and a journalist.
rinryuuFeb 27th 2011 3:45PM
I like keepass a lot but one gripe I have with it is it's a bit more advanced to get it working just perfectly on every site I add. Sometimes it will show the correct entry, sometimes it won't. I've tried tinkering with the url and name of entries and it still doesn't show up for auto-type. I also feel the UI could be cleaned and simplified.
One other gripe that isn't very related that this reminds me of. I can't stand forums or other sites that redirect you away from the page you were viewing, would much prefer to just see the page refresh and show my account in a corner as logged in. Also sites that have those overlay logins that pop up for the page.
Thank you for reminding us that no matter what we use, we have to be cautions regardless of the security programs or online services try their best to provide us with.