Friday, March 16, 2012

Lastpass.com security vulenrability

Recently, I'v discovered an XSS (Cross-site scripting) vulnerability in Lastpass.com add-on for browsers.
Lastpass.com is a password manager that keeps password in the cloud in a secured manner.

The vulnerability allow a malicious site owner to craft a special field, which in turn, if and when the user will decide to remove that field from that vault, an arbitrary JavaScript code would be executed. The code would be able to access the runtime environment of the plugin - thus to submit to external site sensitive information about Lastpass.com users.

Lastpass.com acknoladge the vulenrability, and issued a patch in a short amount of time. Lastpass.com add-ons are no longer affected by the issue, for this moment. They also publicly credited my about the disclosure at https://lastpass.com/support_security.php