LastPass security update fixes credential leak bug

LastPass released a new security update that fixes a vulnerability that exposes credentials from a previously visited website. The new version 4.33.0 was released on September 12.

Tavis Ormandy, a security researcher with Google’s Project Zero security team, first reported the vulnerability on August 29. He disclosed more details since the initial discovery and also after LastPass released the fix. He verified LastPass fixed the issue on September 15.

“I noticed that you can create a popup without calling do_popupregister() by iframing popupfilltab.html (i.e. via moz-extension, ms-browser-extension, chrome-extension, etc). It’s a valid web_accessible_resource,” Ormandy wrote in a blog post.

“Because do_popupregister() is never called, ftd_get_frameparenturl() just uses the last cached value in g_popup_url_by_tabid for the current tab. That means via some clickjacking, you can leak the credentials for the previous site logged in for the current tab.”

Consequently, attackers could potentially direct users to malicious sites used to exploit the vulnerability and steal a user’s credentials.

Ormandy walked through the steps to reproduce the issue and verified the credentials displayed are from a previous site. On September 3, he also added more details on several other issues, such as potential to bypass certain security checks.

“I think it’s fair to call this ‘High ‘severity, even if it won’t work for all URLs,” Ormandy warned.

Users are encouraged to update to LastPass version 4.33.0 and later as soon as possible and can also enable the auto-update feature to ensure LastPass brower extensions or mobile app is updated in a timely manner.