LastPass hacked; security compromised for good

LastPass password manager had its security compromised by two white hackers in two days — It turned out sometimes it’s good to be hacked by good hackers!

Mathias Karlsson, an IT security researcher recently breached the security of popular password managers LastPass and reported the issue to the firm.

It all happened when Karlsson noticed LastPass has added HTML code on their website and upon further digging, he found out a serious bug allowing him to extract passwords stored in the autofill feature. In a blog post, Karlsson revealed that the bug was in the URL parsing.

“First, the code parsed the URL to figure out which domain the browser was currently at, then it filled any login forms with the stored credentials. However, the URL parsing code was flawed, stated Karlsson.”

Further, Karlsson tested the bug on http://avlidienbrunn.se/@twitter.com/@hehe.php and found that the browser would display the current domain as avlidienbrunn.se while the extension would treat it as twitter.com. Since the code only URL encodes the last occurrence of @, the actual domain is treated as the username portion of the URL.

Karlsson also shared a screenshot he took from the avlidienbrunn.se domain which displayed Titter credentials in the clear-text form:

Must Read: Top 15 Cyber Attacks and Security Breaches in 2015

I, too, have hacked LastPass :) https://t.co/YeIzTHASou cc @taviso

— ­Mathias Karlsson (@avlidienbrunn) July 27, 2016

Good news is that Karlsson reported the issue to LastPass who fixed the flaw immediately and paid him a sum of $1000.

Second case of LastPass hack: 

In another case, Tavis Ormandy, a Google Security Team researcher exposed a message-hijacking bug that affected the LastPass Firefox addon. To take advantage of this bug the attack had to lure a LastPass user to visit another site and then execute the LastPass actions in the background without the user’s knowledge, such as deleting items. This was possible if the victim fell for a phishing scam that basically redirects users to a fake page, however, good news is that LastPass has issued a security advisory urging FireFox users to update the 4.0 version to the latest one.

Are people really using this lastpass thing? I took a quick look and can see a bunch of obvious critical problems. I'll send a report asap.

— Tavis Ormandy (@taviso) July 26, 2016

OK OK, I get it, lots of people use LastPass. If you work there, please contact me ASAP and let's get this fixed.

— Tavis Ormandy (@taviso) July 26, 2016

Full report sent to LastPass, they're working on it now. Yes, it's a complete remote compromise. Yes, I promise I'll look at 1Password.

— Tavis Ormandy (@taviso) July 27, 2016

History of LastPass security breaches: 

This is not the first time nor will it will be the last time when LastPass has faced security issue, this is the Internet and 100% security is a myth however in the past; researcher demonstrated how attackers can hack LastPass users through a phishing scam. In June 2015, LastPass admitted its database comprising of email addresses, server per user salts, password reminders and authentication hashes were hacked.

Must Read: How to secure your cyber infrastructure from threats like ransomware?

Warning:

Whether you are a LastPass user or not, keep in mind never to click an unknown link as it can lead to a phishing scam
NEVER use the same password for other accounts
Use 2 two factor authentication
Use a strong password!