Bug Allowed Access to LastPass Remote Procedure Calls
There’s no rest for the popular password manager LastPass. Google’s top-notch bug hunter Tavis Ormandy has found another bug in the application that could be exploited to steal passwords.
See Also: 2017 Predictions on Data Security: Insights on Important Trends in Security for the Banking Industry
LastPass says it deployed a server-side fix within hours of receiving Ormandy’s report. The flaw could be exploited via its extension for the Chrome browser. Not long after, however, Ormandy warned that he’d found another flaw, which appears to be in a LastPass Firefox plug-in. The company says it’s investigating that bug report.
In a March 21 write-up about the first flaw, Ormandy says he found a responsive script in LastPass’s Chrome extension that would funnel unauthenticated messages to the main LastPass application. That gave an attacker access to LastPass’s remote procedure calls, or RPCs.
“Therefore, this allows complete access to internal privileged LastPass RPC commands,” Ormandy writes. “There are hundreds of internal LastPass RPCs, but the obviously bad ones are things copying and filling in passwords.”
LastPass spokeswoman Lauren Van Dam says a successful attack would require some action on the part of a victim, such as visiting a malicious website or falling prey to a phishing email. Software developers often downplay the likelihood of successful attacks using this reasoning, but it’s only a minor obstacle for attackers who have mastered social engineering.
Van Dam tells Information Security Media Group that the flaws do not affect LastPass Enterprise or Teams accounts because the vulnerability is connected to a onboarding feature that allows password vaults to be set up via email.
It’s generally considered a good security practice to use password managers. The applications generate unique passwords for new accounts and help users fill those difficult-to-remember phrases into web forms and apps automatically.
Still, a password manager places all of the password eggs are in one basket. If there’s a remotely exploitable vulnerability in the application, all could be lost to an attacker. Disclosures of such bugs are confidence-shaking for users.
“I’ve got to say, this attack looks a little too obvious,” writes a commentator on Hacker News. “That doesn’t reflect well on LastPass.”
Wait, I Didn’t Start Calc.exe
To demonstrate how he was able to reach deeply into LastPass, Ormandy crafted a benign exploit that causes the Microsoft calculator app to be launched on Windows machines. After he sent a bug report to LastPass, the company’s engineers tried to replicate the example.
“They also said they couldn’t get my exploit to work, but I checked my Apache access logs, and they were using a Mac,” Ormandy writes. “Naturally, calc.exe will not appear on a Mac.”
It’s also possible for an attacker to run arbitrary code. For that to work, a LastPass user would need to have the binary component feature of the application enabled. The component controls features such as auto-logging off when a browser is closed and fingerprint-based authentication.
Ormandy writes that a user wouldn’t necessarily have to have that enabled, as an attacker could try to trick a user into turning it on via another RPC command. He humorously writes that if that social engineering trick doesn’t work, “you will have to settle for just stealing passwords.”
Second LastPass Flaw Flagged
Hours after LastPass on March 21 reported fixing the flaw found by Ormandy, however, he reported that he’d found another one.
“I found another bug in LastPass 4.1.35 (unpatched), allows stealing passwords for any domain,” Ormandy tweeted. “Full report will be on the way shortly.”
We are aware of reports of a Firefox add-on vulnerability. Our security is investigating and working on issuing a fix.
— LastPass (@LastPass) March 22, 2017
LastPass says the potential flaw involves “a Firefox add-on vulnerability” and that it’s investigating.
News of the new vulnerability report led one user to quip via Twitter: “You’ve had a few of these lately, what’s the plan going forward? We’re trusting you with our passwords, this is no joke.”
String of Hits
Google’s Project Zero focuses on security research. Ormandy has in the past focused on finding bugs within widely used applications or services, often with startling results.
Last July, he found a problem with LastPass’s Firefox extension that would allow malicious code to interact with the extension. The flaw could have allowed an attacker to grab all passwords, create and delete files, execute scripts and log into victims’ accounts (see LastPass Patches Password Manager Vulnerability).
Most recently, Ormandy discovered an amazing yet obscure vulnerability in Cloudflare’s redundancy service: A minor coding error of a single keystroke in HTML parsing code that caused unencrypted data to leak, including chat logs, cookies and possibly passwords (see Cloudflare’s Cloudbleed: Small Risk, But Data Lingers). He nicknamed the vulnerability Cloudbleed. Due to the random way the data leaked, it’s not thought those affected were at high risk. The leaked data was indexed by search engines, however, which set Cloudflare off on a scramble to get the content removed from caches.
(Executive Editor Mathew Schwartz also contributed to this story.)