Security Update for the LastPass Extension

Incident Report: March 31, 2017 (8:10 PM)

On Saturday, March 25th, security researcher Tavis Ormandy from Google’s Project Zero reported a security finding related to the LastPass browser extensions. In the last 24 hours, we’ve released an update which we believe fixes the reported vulnerability in all browsers and have verified this with Tavis himself.

Most users will be updated automatically. Please ensure you are running the latest version (4.1.44 or higher), which can always be downloaded at https://www.lastpass.com/.

Now that the issue is resolved, we want to provide a postmortem to our community on what the report entailed and how we are building a better, more secure LastPass going forward. Please note, due to the nature of the vulnerability, this postmortem is highly technical.

Overview

  • This was a client-side vulnerability in the LastPass browser extensions and could be exploited to steal data and manipulate the LastPass extension
  • Exploiting required luring a user to a malicious website (through phishing, spearphishing, or other attack), or to a trusted website running malicious adware
    • This requires a per-user attack that must be executed through the user’s local browser
  • All extensions have now been updated with the fix and submitted to the extension stores
    • Our mobile apps for Android, iOS, and Windows Phones were not affected
  • All of your LastPass browser extensions should be updated to version 4.1.44 or higher
    • Check the LastPass extension icon > More options > About LastPass for your version number
    • Most users should be updated automatically, but the latest versions can always be downloaded at https://www.lastpass.com/
    • Uninstalling is not required to download the updated version

Postmortem

The report

This client-side vulnerability in the LastPass browser extensions was caused by the way LastPass behaves in “isolated worlds”. As noted in the report, “an isolated world is a JavaScript execution environment that shares the same DOM (Document Object Model) as other worlds, but things like variables and functions are not shared. Without isolated worlds, unprivileged pages could interfere with higher privileged scripts, and make them do whatever they want.” In the case of those running the binary version of the extension, which is less than 10% of LastPass users, it could have been manipulated to allow remote code execution (RCE) on the extension.

 “Isolated worlds” and Trusted Pages

A major part of how LastPass works is content scripts. Content scripts are snippets of JavaScript that we inject into 3rd-party sites in order to capture login information and perform autofill. These are a major part of what makes LastPass so useful. In turn, the content script communicates with the rest of the extension to do the heavy lifting: decrypting saved sites, updating the vault, and so on. The rest of the extension is completely inaccessible to 3rd-party sites and should not be able to influence the content scripts.

The content scripts are ordinarily set apart from the rest of the site through the concept of “isolated worlds”. Isolated worlds means our content scripts can read the DOM contents of a 3rd party site, but not any internal JavaScript functions or variables. The reverse also applies: The 3rd party site cannot call any functions or access any variables in our content scripts. The separation is supposed to keep both sides safer from external manipulation.

In some cases, these variables can influence the logic of the content script. It is difficult to inject arbitrary values into JavaScript using this technique. But in a particularly clever move, the report demonstrated that arbitrary strings could be injected, and one of these was enough to trick the extension into thinking it was executing on lastpass.com. By doing so, an attacker could manipulate the LastPass extension into revealing the stored data of that user, and launch arbitrary executables in the case of the binary version.

Our assumption was that we could trust the global scope in which our content scripts run, and this proved not to be the case. Consequently, there were many locations in our JavaScript where it was possible for externally-supplied, global variables to override a default value.

Fixing the issue

Immediately after we received the full report, a cross-functional response team investigated and validated the findings. It was clear that addressing the issues would require a significant change to our browser extensions. This was not a simple patch, and required a thoughtful, thorough fix. Those changes then needed to be applied and tested across all affected extensions.

In short: Comprehensively addressing this report required a significant amount of effort and our team worked around the clock to complete the fixes in a short period of time.

To fix, we addressed variable handling and added the Proxy object to the outer scope of the content script, acting as a “sandbox” to prevent externally-supplied window properties from being read within the content script. To further mitigate RCE, we put in place restrictions on the types of attachments that the extension can launch and limited the available extension APIs.

We worked directly with Google’s Project Zero to verify that our fixes were comprehensive. Once the fix was ready for all affected extensions, we were able to have them reviewed by all stores and pushed to users very quickly. We want to thank our partners at Apple, Google, Microsoft, Mozilla, Opera, Yandex and others who fast-tracked our extension review and release.

Looking ahead

We strongly urge other extension developers to look for this pattern in their code and ensure they are not vulnerable.

We’re in the business of password management; security is and always will be our top priority. We greatly appreciate the work of the security community who challenges our product and works with our teams to ensure we’re delivering a secure service for our users. As a market leader, we get the best of the best testing LastPass and in return our software and our customers benefit.

In an effort to maintain the highest level of security, we will continue to partner with white-hat security researchers and provide incentives to participate in our bug bounty program (https://bugcrowd.com/lastpass). Stay tuned for more to come on this.

Thank you,

The LastPass Team

____________________________________________________________________________________________________________________________

March 27, 2017 (7:10 PM)

Over the weekend, Google security researcher Tavis Ormandy reported a new client-side vulnerability in the LastPass browser extension. We are now actively addressing the vulnerability.  This attack is unique and highly sophisticated. We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post mortem once this work is complete.

In the meantime, we want to thank people like Tavis who help us raise the bar for online security with LastPass, and work with our teams to continue to make LastPass the most secure password manager on the market. And we want to offer our users with a few steps they can take to further protect themselves from these types of client-side issues.

  1. Use the LastPass Vault as a launch pad – Launch sites directly from the LastPass vault. This is the safest way to access your credentials and sites until this vulnerability is resolved.
  2. Two-Factor Authentication on any service that offers it – Whenever possible, turn on two-factor authentication with your accounts; many websites now offer this option for added security.
  3. Beware of Phishing Attacks – Always be vigilant to avoid phishing attempts. Do not click on links from people you don’t know, or that seem out of character from your trusted contacts and companies. Take a look at our phishing primer.

We’ll provide further updates on the patch once complete.