Cross Site Scripting vulnerability reported, fixed

By February 27, 2011 Security News 44 Comments
While no client data was impacted, we were notified at ~3pm Eastern time yesterday of a non-persistent cross site scripting vulnerability on the website. By 5:30pm it was fixed, tested and deployed; closing the hole. It’s important to note that this was not a flaw with the extensions, and could only be potentially exploited if you visited a malicious site that was setup to exploit this flaw while you were logged into LastPass.The cause of this issue was with our testing procedure for this particular case, which has been rectified. Our logs indicate that there’s no sign of this being successfully utilized (beyond the person who found it). We’ve made a number of changes to improve security on the website and help reduce the chance of a recurrence of this kind of issue:

1) Implemented HSTS: This will ensure browsers that support it (Chrome and Firefox 4) will be forced to stay on secure SSL web requests for the domain.

2) Increased our input filtering and stateful inspection.

3) We’ve implemented X-Frame-Options which would make an attack like this more difficult to exploit as it makes it impossible for our pages to be embedded in another page via an iframe/frame.

4) We’ve begun implementing something very similar to Content Security Policy (CSP) LastPass is a browser extension so we can implement this today and we can roll it out far more quickly than the browsers themselves will support it.

We believe this issue to be resolved but are continuing to audit and implement ways to further mitigate risk. If you would like to take extra precautions in the interim a good security practice would be to avoid keeping yourself logged into LastPass if you’re visiting websites of ill repute.

CSP is a big step forward in risk reduction from this kind of attack. While we’re disappointed we missed this case up-front we’re pleased that will lead to an even stronger product in the near term.

For those wanting to learn more about non-persistent Cross Site Scripting (XSS) you can read about it here:

Our thanks to Mike Cardwell for responsibly reporting this issue.