Tuesday, March 1, 2011

LastPass XSS vulnerability found, website and browser add-ons affected (updated)

Mike Cardwell, the Stallmanite who recently discovered a fantastically covert way of working out which Web services you're currently logged in to, has found a nasty XSS vulnerability in the LastPass password manager. The cross-site scripting (XSS) vulnerability not only allows nefarious types to see which sites you've recently logged in to, but it also provides access your email address and password reminder.

First off: don't worry. Cardwell reported the vulnerability to LastPass before writing it up, and it has since been fixed. We're not sure if the fix has propagated out to the Chrome and Firefox add-ons -- but we have to assume that Cardwell wouldn't have written his blog post if the vulnerability still existed.

With that said, you should still be more than a little concerned about the fundamental architecture of LastPass as an in-the-cloud password manager. While this cross-site scripting attack was fixed quickly, Cardwell thinks a similar attack "could easily happen again in future."

Beyond being susceptible to XSS attacks, LastPass doesn't even use HSTS, which means that man-in-the-middle (MITM) attacks are also rather easy to pull off.

It's very hard for us to recommend LastPass as a password manager when further vulnerabilities will almost certainly be found. For the time being, you should check out KeePass, an offline password manager that, for now, is a lot more secure than LastPass.

Update: LastPass has now implemented HSTS and a few other features to make their website and browser add-ons a lot harder to attack in the future. Hooray!

[Thanks to Brad for the tip!]

Tags: apps, browsers, cross-site scripting, Cross-siteScripting, keepass, lastpass, password manager, PasswordManager, security, vulnerability, web, xss

windows xp windows xp download windows xp downloads windows xp pro

No comments:

Post a Comment