LastPass, a popular password management service with addons for
Firefox, Chrome, and Internet Explorer suffered from a clickjacking
vulnerability which can be exploited on sites without the proper
X-Frame-Options headers to steal passwords. The password auto-fill
dialogue can be overlayed with a deceptive page to trick users into
copying and then pasting their password into an attacker’s site.
Update: After disclosing with the Lastpass folks via their support system and getting a very quick and helpful response this issue is now fixed for all the latest versions of Lastpass on Chrome & Internet Explorer. Kudos to the Lastpass guys for being so quick on patching! The only patch that is not available is for Mozilla Firefox due to Mozilla’s unwillingness to approve the update in a reasonable amount of time. See below for full details.
For the proof of concept example we’ll use Tumblr, which makes use of JavaScript to prevent clickjacking. The protection is ineffective however, as the site can be framed with an HTML5 iframe sandbox to prevent the page from executing JavaScript:
While the page has been prevented from running JavaScript, the Lastpass addon is still able to add its auto-fill functionality to the Tumblr login form. Since this page can be iframed we can overlay an entire page to redress the UI in order to trick the user into clicking through the Lastpass dialogues. The following image shows this UI being redressed to look like a CAPTCHA system against bots:
The user is prompted to copy the agreement text, followed by clicking on some “randomized buttons” before being asked to paste the agreement text back into a text box. What the user is unaware of is that they are actually copying their Lastpass password for Tumblr upon clicking button number three. When the user goes to paste the agreement text back into the website they are inadvertently giving away their password to the attacker’s site:
The trickery becomes obvious when the overlay is made slightly transparent:
A video demonstrating the vulnerability is also available here:
The fix for websites is possible by just using an X-Frame-Options: SAMEORIGIN header.
It would be trivial to build this exploit for other websites, please keep in mind that Tumblr has little to do with this issue – they are just the example. The core of the problem was with the Lastpass service.
Disclosure Timeline
___________________________________________________________________________________
CONTACT US..!!
___________________________________________________________________________________
https://www.facebook.com/Walkalone3933?ref=bookmarks
https://www.instagram.com/walk._.alone/
https://www.instagram.com/hackingtipsandstuff/
Update: After disclosing with the Lastpass folks via their support system and getting a very quick and helpful response this issue is now fixed for all the latest versions of Lastpass on Chrome & Internet Explorer. Kudos to the Lastpass guys for being so quick on patching! The only patch that is not available is for Mozilla Firefox due to Mozilla’s unwillingness to approve the update in a reasonable amount of time. See below for full details.
For the proof of concept example we’ll use Tumblr, which makes use of JavaScript to prevent clickjacking. The protection is ineffective however, as the site can be framed with an HTML5 iframe sandbox to prevent the page from executing JavaScript:
While the page has been prevented from running JavaScript, the Lastpass addon is still able to add its auto-fill functionality to the Tumblr login form. Since this page can be iframed we can overlay an entire page to redress the UI in order to trick the user into clicking through the Lastpass dialogues. The following image shows this UI being redressed to look like a CAPTCHA system against bots:
The user is prompted to copy the agreement text, followed by clicking on some “randomized buttons” before being asked to paste the agreement text back into a text box. What the user is unaware of is that they are actually copying their Lastpass password for Tumblr upon clicking button number three. When the user goes to paste the agreement text back into the website they are inadvertently giving away their password to the attacker’s site:
The trickery becomes obvious when the overlay is made slightly transparent:
A video demonstrating the vulnerability is also available here:
The fix for websites is possible by just using an X-Frame-Options: SAMEORIGIN header.
It would be trivial to build this exploit for other websites, please keep in mind that Tumblr has little to do with this issue – they are just the example. The core of the problem was with the Lastpass service.
Disclosure Timeline
- April 3, 2015 – Issue reported via the Lastpass ticket system
- April 4, 2015 – Lastpass responds with confirmation of this issue, confirms they will work on figuring out remediation. (Also discussing a mistake with the link I sent them showing the issue)
- April 20, 2015 – Patch implemented internally for testing before being pushed to production.
- April 22, 2015 – Path pushed to Chrome browser, other browser patches in the works.
- July 1, 2015 – Mozilla has still not pushed a patch out despite Lastpass submitting it on April 22nd.
___________________________________________________________________________________
CONTACT US..!!
___________________________________________________________________________________
https://www.facebook.com/Walkalone3933?ref=bookmarks
https://www.instagram.com/walk._.alone/
https://www.instagram.com/hackingtipsandstuff/
---------->Walk._.Alone<-----------
No comments:
Post a Comment