LastPass then exposed many pieces of high-risk vulnerabilities, the user account information being stolen risk-vulnerability warning-the black bar safety net

2016-07-29T00:00:00
ID MYHACK58:62201677385
Type myhack58
Reporter 佚名
Modified 2016-07-29T00:00:00

Description

LastPass is the world's most popular cloud password management tool. This tool is the main user of the Internet account number and password management, and 1Pass very similar. On the PC side, the user can use the LastPass browser plug-in on their own account and password management, in the end of the phone is APP. !

LastPass in addition to the account password of the automated storage, but also for some manufacturers to provide automation to change the password of the programme. LastPass even provides a front-end encryption service to prevent the were middle attacks and the like. LastPass the use of cryptographic protection measures sufficient to protect the vast majority of users of security,LastPass for authentication hash to strengthen the protection,the use of a random factor,and the client outside of PBKDF2-SHA256 server-side implementation of the 1 0 million cycles of processing. On the surface it sounds very safe tricky, but in fact really true? 2 0 1 4 years, several security experts said, lastPass did not imagine in so safe. Because once your LastPass account is stolen or registered mail is stolen, then all of the Internet accounts are not to be spared. 2 0 1 5 years, a hack propaganda has infected the LastPass server, and steal the entire database. Although LastPass using a preceding encrypted, but still have to crack the possibilities. !

Multiple security vulnerabilities From the Google Project Zero researchers Tavis Ormandy found a few LastPass 0day vulnerabilities. Researchers said on Twitter: really someone with LastPass? I just see a few eye will find several vulnerabilities...... LastPass now has an emergency patch the vulnerability, there is no disclosure of vulnerability details. Here are some case we may not of known. In addition, a security personnel Mathias Karlsson, also found a LastPass vulnerability: LastPass according to domain name automatically fill in account and password. For example, I browse to a Google page, then lastpass will automatically fill in account and password, I only need to login on the line. As shown below: !

比如 当 我 浏览 了 http://www.freebuf.com/@google.com/login.php ,originally it should be automated fill in FreeBuf account and password, but it will put this URL defaults to Google's domain name, and fill in the Google Account and password. Assume that a single phishing server in their website directory under the set plurality of manufacturers of the static landing page, as long as LastPass to access the page and after login, the account and password along with the leak. Command execution vulnerability Yesterday evening(2016/7/27), a security researcher found a LastPass command execution vulnerability. LastPass in the information and communication process, will the JS code to do a credible verification. But this is not much use. In the local JS code to do some modifications to complete a non-spare communication exchanges, and even the command execution. The LastPass Plug-In will modify the HTML page of the CCS code, and in the tag add a dedicated iframe. As a result,the web page can use Javascript code to create a mouse click event(MouseEvent ()) it. And use the correct X:Y coordinates to“simulate click on the”LastPass app icon. Under normal circumstances, the web page is not able to directly directed to a section of the url address of the resource,but it can let LastPass plugin for it to complete this part of the operation. function trigger_frame() { var el = document. getElementsByTagName("input")[0]; var pos = el. getBoundingClientRect(); el. dispatchEvent(new MouseEvent("click", { clientX: pos. width + pos. x - 1 6, clientY: pos. height + pos. y - 1 2, })); } The following this javascript code is listening for the message event, messageType is the type of Open url, then the url value is a JS script. If the listener to the message event, then it will pop up 1, can also perform other script. // Put our own written information and legitimate information to cover the function modify_message(a) { a. data. messagetype = "openURL"; a. data. url="javascript:alert(1)"; // Remove EventListener window. removeEventListener("message", modify_message); } // Insert your new label window. addEventListener("message", modify_message); LastPass has now fixed the vulnerability, and issued a statement saying that the vulnerability only affects Firefox LastPass plugin. Summary Although LastPass has reported a lot of vulnerabilities, but this does not represent a Password Manager is unsafe symbol. The Internet booming today, people are less then a dozen accounts and passwords, many hundreds. Set similar passwords are vulnerable to social engineering, hacking, or hit the library attack. Password Manager although it has been available, but there are many security issues need to be considered.