LastPass Firefox Extension 4.0 < 4.1.21a Message Hijacking

high Nessus Plugin ID 92660

Synopsis

A password manager installed on the remote host is affected by a remote message hijacking vulnerability.

Description

According to its version, the LastPass Firefox extension installed on the remote Windows host is 4.0.x prior to 4.1.21a. It is, therefore, affected by a message hijacking vulnerability due to improper validation of messages sent between the extension and a privileged iframe. An unauthenticated, remote attacker can exploit this issue, by convincing a user into loading a specially crafted web page that programmatically clicks a LastPass modified input element, to take full control of the LastPass extension, including creating and deleting files, executing scripts, and disclosing passwords.

Solution

Upgrade to LastPass Firefox extension version 4.1.21a or later.

See Also

https://bugs.chromium.org/p/project-zero/issues/detail?id=884

https://blog.lastpass.com/2016/07/lastpass-security-updates.html/

https://thehackernews.com/2016/07/lastpass-password-manager.html

Plugin Details

Severity: High

ID: 92660

File Name: lastpass_4_1_21a_firefox_extension_message_hijacking.nasl

Version: 1.7

Type: local

Agent: windows

Family: Windows

Published: 8/1/2016

Updated: 11/15/2018

Supported Sensors: Nessus Agent, Nessus

Vulnerability Information

CPE: x-cpe:/a:lastpass:lastpass

Required KB Items: Browser/Firefox/Extension

Patch Publication Date: 7/27/2016

Vulnerability Publication Date: 7/27/2016