LastPass hacked — can password managers be trusted?
Paolo concludes his post with this thought:
Ultimo dubbio ricorrente: ci si può fidare a depositare una copia dell’archivio di password nel cloud? Un gestore di password diventa un punto unico di vulnerabilità: se qualche malintenzionato riesce ad accedere al sito del produttore, c’è il rischio che abbia accesso a tutte le password di tutti gli utenti.
Last recurring doubt: you can trust to deposit a password archive in the cloud? A password manager becomes a single point of vulnerability: if some hacker gains access to the manufacturer’s website, there is a risk that he has access to all the passwords of all users.
What a coincidence! Now a critical zero-day flaw has been discovered in the popular cloud password manager LastPass that could allow any remote attacker to compromise your account completely.
The bug that allowed me to extract passwords was found in the autofill functionality. First, the code parsed the URL to figure out which domain the browser was currently at, then it filled any login forms with the stored credentials.
However, the URL parsing code was flawed (bug in URL parsing? shocker!).
By browsing this URL: http://email@example.comfirstname.lastname@example.org the browser would treat the current domain as avlidienbrunn.se while the extension would treat it as twitter.com. Since the code only URL encodes the last occurence of @, the actual domain is treated as the username portion of the URL.
Below you see that the extension would fill my form with the stored credentials for twitter.com. After that I could simply go through other commonly used sites and extract credentials for those too.