LastPass Fixes XSS Vulnerability, Improves Security

Ghacks regulars know that I'm a big supporter of the free cloud based password manager LastPass. The program is available for popular web browsers and mobile devices, and offers many comfortable password and login related features. This includes online password management, one-click log ins, user profiles to fill out forms faster, a secure password generator and more.

A cross site scripting vulnerability was recently discovered by a security researcher on the LastPass.com website. The potential to exploit the vulnerability was limited, as it required a specifically prepared website and a user who was logged into LastPass.

The developers stated on the official LastPass blog that the logs did not indicate that the vulnerability was successfully exploited, other than by the security researcher who discovered it.

The vulnerability has been fixed and, as a consequence, security has been improved on the Last Pass website. The developers list four areas of improvements:

• Implementation of HSTS which basically forces supported web browsers (Chrome and Firefox 4 currently) to stay "on secure SSL web requests for the lastpass.com domain."
• Increased input filtering and stateful inspection
• Implementation of X-Frame-Options which makes it impossible to embed Last Pass pages via iframes or frames.
• Implementation of "something very similar to Content Security Policy" which allows the LastPass admins to specify how content interacts on their website.

The LastPass blog offers links to several of the concepts and technologies that have been added or implemented as a reaction to the discovered vulnerability.

LastPass users who would like to take a look at the original article can do so here. It details the security researcher's methodology and is a good read for security interested computer users.