The researcher pointed out other issues discovered in LastPass that could be leveraged by an attacker. Although the method may not work with all websites, Ormandy reckons that the bug has a high severity.
"That means via some clickjacking, you can leak the credentials for the previous site logged in for the current tab," Ormandy explains in the report to LastPass at the end of August.Īfter tinkering with the bug for a while, the researcher found a way to automate the credential leak on a Google website.
How log into lastpass browser extension verification#
By placing into an iframe the popup prompting for a password fill, a step in the verification chain was skipped and the last cached value for the current tab would be leaked. He explains that the theft would be successful if all actions happened in the same tab, though. In the vulnerability disclosure submitted to LastPass, the researcher details the technical aspect and how subsequent clickjacking can reveal the last credentials used by a victim.
Google security engineer Tavis Ormandy found that an attacker could create a valid clickjacking scenario for a user that has used LastPass to log into an account and direct them to a compromised or malicious website loaded with a specially created iframe. A security vulnerability in the extension of LastPass password manager could have allowed stealing the credentials last used for logging into a website.Įxploiting the bug was possible in Google Chrome and Opera web browsers and required some effort to be successful since the target needed to go through several steps.