SIK-2016-023


Title:

Privacy, Data leakage in LastPass Browser Search

Report ID

SIK-2016-023

Summary:

  • Vendor: LastPass
  • Product: LastPass Password Manager
  • Affected Version: 4.0.52, platformBuildVersionName=“6.0-2704002″
  • Severity: low-medium
  • Short summary: All search request in the LastPass browser can be eavesdroped by a man-in-the-middle attack.

Details:

The LastPass integrated browser leaks sensitive privacy information. For the default search suggestion function in the URL field, the input values are transfered to google. This information is transfered via plaintext http communication.

The obfuscated class com.lastpass.lpandroid.jl in the LastPass application implements the search/ suggestion feature for the LastPass integrated browser. The search request to the google URL is a plaintext http request. A man-in-the-middle attacker can eavesdrop all search results and called URLS from the user (see traffic dumpof mitm traffic).

GET http://google.con/complete/search?output=toolbar&q=t
200 text/xml 1658 86ms
GET http://google.com/complete/search?output=toolbar&q=te
200 text/xml 1718 94ms
GET http://google.com/complete/search?output=toolbar&q=tes
200 text/xml 1518 87ms
GET http://google.con/complete/search?output=toolbar&q=test
200 text/xml 1548 87ms
GET http://google.con/complete/search?output=toolbar&q=t
200 text/xml 1718 89ms
GET http://google.com/complete/search?output=toolbar&q=tu
200 text/xml 1648 84ms
GET http://google.com/complete/search?output=toolbar&q=tum
200 text/xml 1768 76ms
GET http://google.con/complete/search?output=toolbar&q=tumo
200 text/xml 548 72ns
GET http://google.con/complete/search?output=toolbar&q=tumor
200 text/xml 548 103ms

Such a mitm attack on smartphones can be realized very easy by a rogue / compromised WIFI hotspot or GSM hotspot.

Workaround

For mitigating possible data leakage through man-in-the-middle attacks as described in section 2, the user should disable the LastPass browser option “Show suggestions from Google” or avoid using the integrated LastPass browser.

Suggested Mitigation

Preventing the search suggestion data leakage use a google API or submit the information through https (SSL/TLS) connection.

Timeline

  • 2016-08-22 Vulnerability Discovered
  • 2016-08-24 Vulnerability Reported
  • 2016-09-06 Vulnerability Fixed