LastPass Fixes XSS Vulnerability, Improves Security - gHacks Tech News

LastPass Fixes XSS Vulnerability, Improves Security

Ghacks regulars know that I'm a big supporter of the free cloud based password manager LastPass. The program is available for popular web browsers and mobile devices, and offers many comfortable password and login related features. This includes online password management, one-click log ins, user profiles to fill out forms faster, a secure password generator and more.

A cross site scripting vulnerability was recently discovered by a security researcher on the LastPass.com website. The potential to exploit the vulnerability was limited, as it required a specifically prepared website and a user who was logged into LastPass.

The developers stated on the official LastPass blog that the logs did not indicate that the vulnerability was successfully exploited, other than by the security researcher who discovered it.

The vulnerability has been fixed and, as a consequence, security has been improved on the Last Pass website. The developers list four areas of improvements:

  • Implementation of HSTS which basically forces supported web browsers (Chrome and Firefox 4 currently) to stay "on secure SSL web requests for the lastpass.com domain."
  • Increased input filtering and stateful inspection
  • Implementation of X-Frame-Options which makes it impossible to embed Last Pass pages via iframes or frames.
  • Implementation of "something very similar to Content Security Policy" which allows the LastPass admins to specify how content interacts on their website.

The LastPass blog offers links to several of the concepts and technologies that have been added or implemented as a reaction to the discovered vulnerability.

LastPass users who would like to take a look at the original article can do so here. It details the security researcher's methodology and is a good read for security interested computer users.





  • We need your help

    Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

    We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

    If you like our content, and would like to help, please consider making a contribution:

    Comments

    There are no comments on this post yet, be the first one to share your thoughts!

    Leave a Reply