In 2018, a third-party hardware vulnerability, called Spectre, was discovered that affects most modern central processing units (or “processors” for short). This vulnerability was shown to have the potential to break the isolation between running applications and allow data to be stolen from programs that are simultaneously being run on a computer. Spectre had the capacity to affect any website or browser-based extension running on potentially impacted hardware.
At that time, LogMeIn immediately began investigating and taking measures designed to limit the impact of Spectre. As emerging research developed this year across the industry, we actively worked with Google’s Chromium Site Isolation Team to better understand any potential impact on browser-based password managers.
The latest developments have additionally uncovered possible attack vectors or types that attempt to compromise the potentially personal or confidential data stored on any website(s) and/or browser extension(s), regardless of site or extension provider. Google has recently released updates intended to protect against these types of attacks and prevent data from potentially being compromised on Chromium-based browsers like Chrome.
We encourage all our customers using the LastPass browser extension to review the latest developments and our recommended security steps outlined below to better protect their personal or confidential data.
Details of the Vulnerability
Google’s Chrome, and other browsers, isolate webpages and/or browser extensions to prevent malicious webpages and/or browser extensions from being able to read that application’s potentially personal or confidential data. This ‘site isolation’ is performed by running each webpage and/or browser extension in different computer processes to keep them quarantined from one another. While most programs are designed with this feature, recent research has revealed methods in which the vulnerability could exploit the ‘isolation’ aimed to protect a users’ data.
One of the methods an attacker may use is coercing a running website to group into the same ‘isolated processes’ with that of a malicious website. This can happen when a malicious website shares a top-level domain with a non-malicious website and browsers optimize to put that website into the same process. This method of attack can potentially grant access to all the data that is stored in memory for those running websites, including someone’s potentially personal or confidential data. To greatly reduce the risk associated with this attack, progress has been made with Google’s Chrome 92 (as noted above) and Firefox with Fission enabled, and in addition, we continue to recommend the security best practices outlined below.
Another consideration is browser extensions; software installed within your browser utilizing content scripts, files that run in the context of web pages. Content scripts can read details of the web pages the browser visits, make changes to them, and pass information to their parent extension. Malicious browser extensions can also potentially bypass the specific isolation barriers and access data within other extensions. It is important to note however, the browser extension isolation issue has been resolved in Google’s Chrome 92.
For example, the LastPass browser extension’s content script is utilized to transfer credentials from your encrypted vault to the web page for submission, and we limit the amount of time that secrets are stored in memory to a minimum only as required. Credentials are only passed within the content script when required for the features of the extension to operate.
Steps You Can Take to Protect Your Personal or Confidential Data
To better secure your potentially personal or confidential data and reduce your risk to cyber threats and vulnerabilities such as Spectre, we recommend our users, customers, and community members always exercise caution and remain diligent while browsing online. Below are some recommended best security practices.
Steps You Can Take to Protect Your Personal or Confidential Data
To better secure your potentially personal or confidential data and reduce your risk to cyber threats and vulnerabilities such as Spectre, we recommend our users, customers, and community members always exercise caution and remain diligent while browsing online. Below are some recommended best security practices.
- Use LastPass to help identify spoofed sites. One of the benefits of using a password manager is it will only input a password into the original site you created it for. If you visit a website that at first glance looks legitimate but has a fraudulent URL, pay attention if your password manager does not recognize the website and auto-fill your credentials. That is a red flag you may be on a spoofed website.
- Only install well-known browser extensions and visit websites from reputable companies. Double check the spelling of website URL’s and extensions, and ensure they are secured with https.
- Keep your browsers and applications up to date with the latest software versions as they are released and enable automatic software updates in your browser settings where available. Many times, these updates include added security features and patches for vulnerabilities, such as the above-mentioned progress Google’s Chrome 92 and Firefox with Fission enabled has made to reduce risk due to Spectre.
- Manage your tabs to limit the number of webpages you have opened at once. When possible, while browsing a website containing personal or confidential data such as online banking or social media accounts, close other unnecessary tabs to prevent opportunities for cross of data. As a best practice – if you are logged into a webpage with personal or confidential data but no longer need the webpage or account open, log out and close the page.
- Browse websites in ‘private’ mode, especially when browsing sensitive sites. Depending on the browser you use, the names for private browsing options may differ. Tip: If you find your LastPass extension does not work while in private browsing mode, you can manage your settings within the browser extension to allow the extension to operate in private browsing mode.
Share this post via:
