LastPass Credential Leak From Previous Site

Credit: Tavis Ormandy
Risk: High
Local: Yes
Remote: No

lastpass: bypassing do_popupregister() leaks credentials from previous site I noticed that you can create a popup without calling do_popupregister() by iframing popupfilltab.html (i.e. via moz-extension, ms-browser-extension, chrome-extension, etc). It's a valid web_accessible_resource. Because do_popupregister() is never called, ftd_get_frameparenturl() just uses the last cached value in g_popup_url_by_tabid for the current tab. That means via some clickjacking, you can leak the credentials for the previous site logged in for the current tab. I don't consider this a *critical* issue, because I don't think there's a way to control which site you leak credentials from (just the last visited site), but it does seem serious enough to fix. To reproduce the issue: 1. Go to a site you have credentials saved for and click the little \"...\" icon. 2. Go to 3. Enter this in the console: y = document.createElement(\"iframe\"); y.height = 1024; y.width = \"100%\"; y.src=\"chrome-extension://hdokiejnpimakedhajhdlcegeplioahd/popupfilltab.html\"; // or y.src=\"moz-extension://...\"; // or y.src=\"ms-browser-extension://...\"; document.body.appendChild(y); This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public. Found by:

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2023,


Back to Top