I previously found a design flaw in lastpass that affected the 4.x branch of lastpass ([issue 884](https://bugs.chromium.org/p/project-zero/issues/detail?id=884). They confirmed the vulnerability, but explained that most of their users use an older branch from addons.mozilla.org.
I took a look at the addons.mozilla.org version (3.3.2 as of this writing), and noticed that they hadn't fixed this old regex vulnerability properly:
https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/
Apparently this vulnerability was originally reported in 2015, but their fix was incomplete, because you can still make it match something like "data:,.twitter.com/foo".
Exploitation is not trivial because of the weird context, but I made a quick demo that can steal your twitter password. In fact, with some simple clickjacking, you can also steal it if you don't enable autofill. Demo attached, it probably requires a lot of tweaking to be reliable.
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
京公网安备 11010502034610号
暂无评论