LastPass has pushed Google for years to give us a way to avoid using the browser viewport: infobars was a solution to this issue -- you can see one of my pleas for it back in January 2012: https://code.google.com/p/chromium/issues/detail?id=39511
We do a lot to try to protect our usage of viewports using iframes, but it's not good enough and we'll figure out a way to do better. LastPass has generally told people to use the extension directly to login as it's more secure, we'll need to go further here as well.
Sean was clever using http://chrome-extension.pw which looks close -- but LastPass also detects you enter your master password on an incorrect domain and notifies you immediately of your mistake, mitigating this a great deal. This has existed for a long time before Sean's report and we did not implement as a response to Sean's bug report -- we implemented it as a general way for people to know about password resuse and to be notified of being phished.
Making this practical is a lot tougher than email phishing -- you really need an XSS on a page that people use to login, and unlike email phishing it is immediately caught.
Sean here: the mitigation you speak of (notifying the user that they've typed in their master password) is actually another vulnerability.
A malicious page can detect the fact that LastPass put that notification, and then it knows exactly what your master password is without even contacting LastPass. I've told your security team about this but haven't yet received a response.
I clicked on the thumbnail to examine it more closely, and was briefly confused, then amused that it pointed to the real one.
I think this quite nicely shows why hiding the URL scheme is NOT a good idea; otherwise it would show this, which is far more obvious to indicate that the page is either from the extension or not:
This is of the devil. It needs to be burned with fire and the ashes should be sunk in the Mariana trench and the trench should be filled with dirt that has been cursed by a witch that was formerly dead but was reanimated by Cthulhu and then rekilled, burned with fire, and buried on the opposite side of the earth.
Everything here is usual phishing stuff, but that Chrome-Extension.pw url is disturbing combined with the lastpass API stuff.
Digging it out from the bottom of the Marianas Trench only to rebury it in an inferior location (from an accessibility standpoint) seems counterproductive.
Woah, this is scary. I'll need to look closely at LastPass alternatives (perhaps something that runs separately from the browser, even if it's a little more clunky to use than LastPass's integration).
I'll keep using Lastpass and I'm not sure that this is really their fault, but I have to say this is the first phishing scheme that I've thought "Wow, I would definitely fall for that".
The chrome-extension.pw domain looked almost exactly the same as the Lastpass URL at first glance. I wonder if it would help if Chrome added a special URL-bar designation for extensions.
This isn't the first time that LastPass has had security issues and it seems like a fools game to use a password manager that keeps you data in the cloud.
I believe so far my brain is still the best, if not only, secure password storage. To add a layer of security while reducing password complexity, I coded a small hasher so my brain remembers easy phrases and passwords come out of this tool über strong. I suppose I am still vulnerable to social engineering hacks or the attacker getting a hold of my hasher, but for such cases the only layer left is whatever vendors implement to defend its users, like SSL, 2FA or external devices.
This is amazing not just for the execution, but the plain simplicity of it. Could you get around this by always clicking on the browser bar LastPass button when you want to login?
I've noticed LastPass will often log out seemingly at random. This is supposed to be determined by a combination of your settings like "only allow one IP logged in at a time", which would log you out if you switched on your VPN for instance. However, it can appear to happen out of the blue, which makes this attack more dangerous, because people are used to that occurring.
LastPass has a binary extension option for Chrome, hopefully they put that to use here with a desktop window that pops up for you to log in. But the fact that they just got bought by LogMeIn (and their reply to this issue) worries me that they won't do anything.
This is also an attack that is possible against MacOS and Windows. My app can make the screen "go dark" or throw up an Apple-looking password prompt.
As I kept saying (and once emailed Steve Jobs about) the way to properly handle this is:
1. Establish a secret phrase or icon when the account is created, that the user can recognize
2. Show it in the iframe when the user places their keyboard focus into the password field
3. Do not allow outside code to grab it -- in browsers, use the cross domain security model, in MacOS use the anti-DRM preventing screenshotting a certain window.
Now, it's true that on the web, the secret phrase or icon has to depend on the user already having a session they've logged into. This authentication prevents an attacker from simply getting the secret phrase or icon.
I have 1Password on Mac and the 1Password Chrome extension.
But for typing my master password in, I always use the Mac application. That's because I'm worried that the Chrome extension might be vulnerable.
Are you running a 1Password version <5.0? In 1Password 5 AgileBits added 1Password mini, which is a small helper app running in the background. The point of this is to say that one no longer enters passwords into the extension - toggling the extension merely brings up 1Password mini, which is where passwords are entered. Once the 1P mini is unlocked, it then enters the relevant login info into the browser (by using the extension's functionality, all of which is transparent to the user.
I suggest using the desktop app with global hotkeys for Search and Vault. I got used to it, and actually prefer how I can now seamlessly access login details from a Terminal window.
In my Lixux/Firefox credentials are requested in a popup window. Looks quite different than this. It is worrying that 2FA can be compromised so easily though.
[+] [-] pwman|10 years ago|reply
We do a lot to try to protect our usage of viewports using iframes, but it's not good enough and we'll figure out a way to do better. LastPass has generally told people to use the extension directly to login as it's more secure, we'll need to go further here as well.
Sean was clever using http://chrome-extension.pw which looks close -- but LastPass also detects you enter your master password on an incorrect domain and notifies you immediately of your mistake, mitigating this a great deal. This has existed for a long time before Sean's report and we did not implement as a response to Sean's bug report -- we implemented it as a general way for people to know about password resuse and to be notified of being phished.
Making this practical is a lot tougher than email phishing -- you really need an XSS on a page that people use to login, and unlike email phishing it is immediately caught.
[+] [-] bqe|10 years ago|reply
A malicious page can detect the fact that LastPass put that notification, and then it knows exactly what your master password is without even contacting LastPass. I've told your security team about this but haven't yet received a response.
[+] [-] DrewHintz|10 years ago|reply
Interesting! How does it do this?
[+] [-] nfm|10 years ago|reply
[+] [-] userbinator|10 years ago|reply
I clicked on the thumbnail to examine it more closely, and was briefly confused, then amused that it pointed to the real one.
I think this quite nicely shows why hiding the URL scheme is NOT a good idea; otherwise it would show this, which is far more obvious to indicate that the page is either from the extension or not:
Ironically, it wasn't that long ago when browser designers thought completely hiding the URL bar was a good idea.[+] [-] jnevill|10 years ago|reply
Everything here is usual phishing stuff, but that Chrome-Extension.pw url is disturbing combined with the lastpass API stuff.
[+] [-] th0br0|10 years ago|reply
[+] [-] DrScump|10 years ago|reply
[+] [-] vosper|10 years ago|reply
[+] [-] chrisfosterelli|10 years ago|reply
The chrome-extension.pw domain looked almost exactly the same as the Lastpass URL at first glance. I wonder if it would help if Chrome added a special URL-bar designation for extensions.
EDIT: It looks like Chromium has an issue for adding this sort of URL-bar designation: https://code.google.com/p/chromium/issues/detail?id=453093
[+] [-] infinitelurker|10 years ago|reply
https://www.blackhat.com/eu-15/briefings.html#even-the-lastp...
https://blog.lastpass.com/2015/06/lastpass-security-notice.h...
I've been very happy with 1password, runs locally can be synced directly to other devices. https://agilebits.com/onepassword
Does anyone have experience with 1password security breaches?
[+] [-] TwoBit|10 years ago|reply
[+] [-] bikamonki|10 years ago|reply
[+] [-] Oogoo|10 years ago|reply
"[password phrase] + facebook"
"[password phrase] + bank"
etc for all of your passwords, and as long as the hasher works well, you have strong, random passwords for everything.
[+] [-] greggarious|10 years ago|reply
Or are you just manually copying and pasting this one super good hash into all your accounts? :/
[+] [-] viraptor|10 years ago|reply
[+] [-] DyslexicAtheist|10 years ago|reply
[+] [-] gregwebs|10 years ago|reply
[+] [-] redwards510|10 years ago|reply
I've noticed LastPass will often log out seemingly at random. This is supposed to be determined by a combination of your settings like "only allow one IP logged in at a time", which would log you out if you switched on your VPN for instance. However, it can appear to happen out of the blue, which makes this attack more dangerous, because people are used to that occurring.
LastPass has a binary extension option for Chrome, hopefully they put that to use here with a desktop window that pops up for you to log in. But the fact that they just got bought by LogMeIn (and their reply to this issue) worries me that they won't do anything.
[+] [-] chrisfosterelli|10 years ago|reply
[+] [-] bobwaycott|10 years ago|reply
[+] [-] EGreg|10 years ago|reply
As I kept saying (and once emailed Steve Jobs about) the way to properly handle this is:
1. Establish a secret phrase or icon when the account is created, that the user can recognize
2. Show it in the iframe when the user places their keyboard focus into the password field
3. Do not allow outside code to grab it -- in browsers, use the cross domain security model, in MacOS use the anti-DRM preventing screenshotting a certain window.
Now, it's true that on the web, the secret phrase or icon has to depend on the user already having a session they've logged into. This authentication prevents an attacker from simply getting the secret phrase or icon.
[+] [-] delhanty|10 years ago|reply
[+] [-] kobayashi|10 years ago|reply
[+] [-] some1else|10 years ago|reply
[+] [-] alexandrerond|10 years ago|reply
[+] [-] unknown|10 years ago|reply
[deleted]