skout-blog

Cybersecurity Threat Advisory 0049-19: LastPass Bug Leaks Credentials From Previous Site

Advisory Summary:

LastPass is a very popular and widely used password manager – software designed to save user passwords, create secure passwords, and automatically fill in usernames and passwords on websites. Recently, security researchers have discovered that JavaScript embedded in attack websites can trick LastPass into providing username and password information from previous sites that have been logged into recently to a threat actor, without the user needing to directly interact with LastPass itself.  It should be noted that the LastPass software is still considered secure – no breach of the software itself or users’ password databases has been detected. This attack uses a vulnerability that leverages the LastPass plugins for Chrome and Opera only. Password managers are a recommended tool for users to help create, keep, and remember unique passwords for each website; and as such users should still utilize them as part of overall online security preparedness.  LastPass has released an update for the software and plugins which eliminates this vulnerability, so users are encouraged to update immediately; and may have already updated if the auto-update feature of LastPass was not disabled.

 

What is the threat?

Security researchers have identified a vulnerability in the Chrome and Opera plugins for LastPass – a popular and widely used password management utility.  Through the use of specially-crafted JavaScript-based web pages, threat actors can extract previous login information from the LastPass application without user interaction short of visiting the attack webpage itself.  This attack is limited only to unpatched versions of LastPass that also utilize the Chrome or Opera plugins.  While not yet seen in the wild, the popularity of LastPass and the relative ease of configuration of the attack page (and obfuscation via URL shortening services, etc.) make this vulnerability highly likely to be utilized in wide release in the near future.

 

Why is this noteworthy?

Unlike many types of attacks against password management systems, this attack does not require the user to explicitly interact with the LastPass application or plugins for the attack to succeed. Visiting the page executes the JavaScript, which automatically harvests available information from other recently-visited sites.  Since the user does not have to authorize the auto-fill operation, they may be unaware that an attack has taken place.

 

What is the exposure or risk?

Since LastPass is widely used in both the business and personal worlds, and since Chrome and Opera users make up a significant portion of web browser traffic, this vulnerability has a high probability of being exploited both inside and outside of the business.  It is critically important, however, not to dissuade users from leveraging password managers (including LastPass) to help protect themselves by creating and storing unique passwords for every website and service.  While a password manager, like any software, is likely to have vulnerabilities and other code bugs; not using a password manager leads to password re-use and over-use of password reset protocols – practices which are known to lead to the theft of credentials and information and/or to the ability of threat actors to socially engineer such theft.  LastPass has released updates to the software and Chrome and Opera plugins which remove this vulnerability and should be applied immediately.

 

What can you do?

  • If users have not enabled or have disabled the auto-update mechanism for their LastPass browser extensions, they’re advised to perform a manual update as soon as possible.
  • User education on the nature of the vulnerability and how it should not keep them from using password managers is critical in order to avoid users lowering their security stance due to the perception of a security issue from this isolated incident.
  • Standard user precautions should be stressed – avoiding clicking any links in emails or opening web pages that they do not need to visit are key in avoiding disguised links and possible attack sites.
  • Standard organizational protocols for ensuring software is updated regularly and vulnerability scanning is performed at least quarterly will help identify vulnerable versions of LastPass and bring them up-to-date.
  • Enabling two-factor authentication for any devices and websites/services using LastPass should be mandated by company policy. Enabling 2FA/MFA for all sites and services that support such enhanced logins (with or without LastPass) is always recommended.
  • Logging out of LastPass and closing the web browser when finished browsing the internet should become every users’ routine – this removes the “latent” credential information that is used in this attack to gain previous login information.

 

References:

For more in-depth information about the recommendations, please visit the following link:

 

https://www.zdnet.com/article/lastpass-bug-leaks-credentials-from-previous-site/

https://bugs.chromium.org/p/project-zero/issues/detail?id=1930

 

If you have any questions, please contact our Security Operations Center.

 

Find Trouble Before Trouble Finds You.