On Friday, LastPass published a post that said the bugs had been fixed and described the "limited set of circumstances" required for the flaws to be exploited. a routine called LP_iscrossdomainok() that could bypass other security checks.a bug that allowed attackers to disable several security checks by putting the string "" in code.the handle_hotkey() didn't check for trusted events, allowing sites to generate arbitrary hotkey events.He also described three other weaknesses he found in the extensions, including: In a series of updates, Ormandy described easier ways to carry out the attack. The researcher then showed how a bypass might work by combining two domains into a single URLs such as: "This is possible to bypass, because you can make them match by finding a site that will iframe an untrusted page." "This will prompt if you try to clickjack filling in or copying credentials though, because frame_and_topdoc_has_same_domain() returns false," Ormandy continued. Users who click on the link open the malicious page or resource rather than the one that appears to be safe. In its most common form, clickjacking attacks place a malicious link in a transparent layer on top of a visible link that looks innocuous. "That means via some clickjacking, you can leak the credentials for the previous site logged in for the current tab."Ĭlickjacking is a class of attack that conceals the true destination of the site or resource displayed in a Web link. "Because do_popupregister() is never called, ftd_get_frameparenturl() just uses the last cached value in g_popup_url_by_tabid for the current tab," Ormandy wrote. ![]() ![]() In some cases, this unexpected method caused the popups to open with a password of the most recently visited site. In certain situations, websites could produce a popup by creating an HTML iframe that linked to the Lastpass popupfilltab.html window rather than through the expected procedure of calling a function called do_popupregister(). In a write-up that became public on Sunday, Ormandy said the flaw stemmed from the way the extension generated popup windows. The vulnerability was discovered late last month by Google Project Zero researcher Tavis Ormandy, who privately reported it to LastPass. ![]() ABC Photo Archives / Getty Images reader comments 106ĭevelopers of the LastPass password manager have patched a vulnerability that made it possible for websites to steal credentials for the last account the user logged into using the Chrome or Opera extension.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |