Password managers should really be a staple of pretty much anyone’s security plan. But, they’re not without their own slight risks either.
One researcher discovered how to steal passwords stored with LastPass with just a specially crafted URL that can then be sent to the victim.
Videos by VICE
The URL has to specify which service, such as Twitter or Facebook, to steal passwords for, but, “If the victim uses LastPass for those, then those passwords would be sent to the attacker,” Mathias Karlsson, the security researcher who discovered the bug, told Motherboard in a Twitter message. (The bug has already been patched).
LastPass works as a Google Chrome extension, and automatically fills in your passwords on certain sites. The user, meanwhile, only has to remember one password to unlock all of their others, making it much easier to use unique credentials for every site.
As Karlsson explained in a blog post published on Thursday, LastPass adds some HTML code to every page visited by the user. It parses the URL to find out which domain the user is visiting, and then enters the appropriate password.
Karlsson’s own URL however—in this case, http://avlidienbrunn.se/@twitter.com/@hehe.php—trick LastPass into thinking it was visiting Twitter, making it cough up the password.
“This could be done in the background, so the victim wouldn’t even know,” Karlsson told Motherboard. It would also be possible to grab multiple passwords at once, if the attacker used iframes, essentially extra HTML pages embedded into others, Karlsson said.
Karlsson was awarded $1,000 by LastPass for the discovery, he writes.
Coincidentally, on Tuesday security researcher Tavis Ormandy announced via Twitter that he had also found issues with LastPass, but that those resulted in remote compromise of the host machine. The details of that attack have not yet been made public.
Of course, this password-grabbing bug in LastPass is worrying, but it would be foolish to disregard using password managers because of it. The security benefits of making sure you use a unique password on every site, especially when breaches seem to be occurring weekly if not more often, outweigh, for most people, the chance of someone taking advantage of an attack similar to this.
If you’re really paranoid about browser-based password managers, you could switch to an offline version instead, such as, say, KeePass. But returning to the habit of just using the same password everywhere will most certainly blow up in your face.