See how I use LastPass to get to all your password-vulnerability warning-the black bar safety net

2016-07-29T00:00:00
ID MYHACK58:62201677377
Type myhack58
Reporter 佚名
Modified 2016-07-29T00:00:00

Description

! Please note:the manufacturer has successfully fixed this issue,and the relevant information to inform a Lastpass user. Vulnerability status:has been fixed Repair time frame:9 0 days Vulnerability level:severe Manufacturer:LastPass Product:LastPass Report Date:2 0 1 6 7 2 6, Vulnerability overview Just by accessing a web page,someone can steal all you passwords. It sounds although some shocking,but this is indeed true. I also do not believe this statement,then I will decide on the LastPass browser plugin for security analysis. In the final analysis of the results after,I don't have to admit that this is indeed fact. Possibly some readers do not understand the LastPass what. LastPass is currently the world's most popular Password Manager. LastPass uses a strong encryption algorithm,and supports the current mainstream web browser. In addition,it can also use the user's web browsing easier and more secure. LastPass will of the user stored in the machine's password to be encrypted. In LastPass with the help of user passwords can be stored in the PC,Mac,or on mobile devices,only the LastPass Password Manager to unlock these password. So,even when the user to replace the computer or the login terminal,but also without too much worry. Because the user's encrypted data will be backed up on LastPass's official account,users only need to login to LastPass official page,and install LastPass,you can directly recover the user's password. According to the official description,LastPass uses a 2 5 6-bit AES encryption algorithm to the local and on the web site's password database is encrypted,and the data transmission using SSL-encrypted connections and other measures to ensure data security. LastPass CEO Joe Siegrist has said:“LastPass the use of cryptographic protection measures sufficient to protect the vast majority of users of security,LastPass for authentication hash to strengthen the protection,the use of a random factor,and the client outside of PBKDF2-SHA256 server-side implementation of the 1 0 million cycles.” Vulnerability analysis For this reason,I'm on the Windows operating system LastPass 4.1.20 a version were analyzed,and found some problems. I'm in the process of analysis is found,LastPass plug-in I the access of each Web page, add some HTML code(the HTML elements and event handlers),so I decided on the LastPass plug-in for a more in-depth analysis,to understand the specific working mechanism. In a few cups of coffee. after that,I found some very bad things. Yes,really very bad. The LastPass Plug-In will use the css code to modify the HTML of the label,and add a Click event handler for the plug-in generates a dedicated iframe. As a result,the web page can use Javascript code to create a mouse click event(MouseEvent()),and the use of the right of the X:Y coordinates to“simulate click on the”LastPass app icon. Typically,web pages are not able to directly directed to a url address of the resource,but it can let LastPass plugin for it to complete this part of the operation. The relevant code is shown below: ! The plugin can push the window information to the iframe to communicate,the event processor for interactive information for further verification process. But this did not make sense,because the operating window is completely controlled by the attacker,the attacker can directly insert their own event handler to override the browser itself, the event processor,and to modify the legal information. This part of the code is shown below: ! As a result,the attacker can get LastPass to handle and implement an openURL command. An attacker can create or delete files,execute arbitrary script and steal all the passwords. In addition,the attacker can make the target user logs on their own LastPass account,so you can steal all the new added account password data. A description of the problem This vulnerability will allow me to directly from the plugin's auto-fill function to extract the user's password. First,the code to the URL address is parsed,in order to get to the current browser is accessing the domain name. Then,the plug-in will use the stored in the system user credentials to fill the page to the login form. However,is responsible for parsing the URL address of this part of the code, there is a serious security vulnerability. Responsible for parsing the URL address of the function code as shown below: ! 将 URL 地址 :http://avlidienbrunn.se/@twitter.com/@hehe.php 输入 到 浏览器 的 地址 栏 中 之后,the browser will think that the user needs to access the domain is avlidienbrunn. se,但是 LastPass 插件 却 会 认为 目标 域名 是 twitter.com the. Since this part of the code only to the last“@”symbol after the content is URL-encoded,so the URL to the actual domain name will be regarded as a user name to process. This problem is very serious,serious to give some incredible From the following picture you can see,the LastPass plugin will use I store in the database the login credentials to fill in the twitter. com the login form. Fill after completion,I can directly access another commonly used web site,and extract out the login credential information. The case shown in the figure below: ! In I the report submitted to the LastPass company,after company technicians said at the time,I submitted the vulnerability code that can only be in their Firefox browser plug-in to take effect. So they think that only the Firefox LastPass plugin for the existence of this vulnerability. LastPass company reply to the full message content is as follows: Thank you very much responsibly for the vulnerability Details report to us. The company's safety technician has been confirmed,the attacker can indeed use your method to intercept the LastPass password data,so this is indeed a security vulnerability. We also confirmed,this problem only affects the Firefox browser with the LastPass plug-in. The company's technicians are currently processing the gripping handle of this vulnerability,we will be in this weekend to the user before the push to update the patch. This vulnerability condition in line with our vulnerability reward program,so we are very pleased to be able to give you the vulnerability reward,to reward you as our product security contributions. I by LastPass vulnerability submission page will be the vulnerability information is reported to the LastPass,LastPass staff were very responsible and handled my report. They are really very professional,only one day less than the time it developed in response to this vulnerability security patches. In addition,they gave me thousands of dollars of vulnerability rewards. But I decided to this vulnerability bonus donate to charity and Amnesty International,

[1] [2] next