LastPass Fixes XSS Vulnerability, Improves Security

Martin Brinkmann
Feb 28, 2011
Updated • Dec 7, 2012

Ghacks regulars know that I'm a big supporter of the free cloud based password manager LastPass. The program is available for popular web browsers and mobile devices, and offers many comfortable password and login related features. This includes online password management, one-click log ins, user profiles to fill out forms faster, a secure password generator and more.

A cross site scripting vulnerability was recently discovered by a security researcher on the website. The potential to exploit the vulnerability was limited, as it required a specifically prepared website and a user who was logged into LastPass.

The developers stated on the official LastPass blog that the logs did not indicate that the vulnerability was successfully exploited, other than by the security researcher who discovered it.

The vulnerability has been fixed and, as a consequence, security has been improved on the Last Pass website. The developers list four areas of improvements:

  • Implementation of HSTS which basically forces supported web browsers (Chrome and Firefox 4 currently) to stay "on secure SSL web requests for the domain."
  • Increased input filtering and stateful inspection
  • Implementation of X-Frame-Options which makes it impossible to embed Last Pass pages via iframes or frames.
  • Implementation of "something very similar to Content Security Policy" which allows the LastPass admins to specify how content interacts on their website.

The LastPass blog offers links to several of the concepts and technologies that have been added or implemented as a reaction to the discovered vulnerability.

LastPass users who would like to take a look at the original article can do so here. It details the security researcher's methodology and is a good read for security interested computer users.


Previous Post: «
Next Post: «


There are no comments on this post yet, be the first one to share your thoughts!

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.