LastPass URL Parsing Bug
Mathias Karlsson (Hacker News, Slashdot):
Stealing all your passwords by just visiting a webpage. Sounds too bad to be true? That’s what I thought too before I decided to check out the security of the LastPass browser extension.
[…]
I reported this to LastPass through their responsible disclosure page and the report was handled very professionally. The fix was pushed in less than a day(!), and they even awarded me with a bug bounty of $1,000.
[…]
Should we stop using password managers? No. They are still much better than the alternative (password reuse).
Although, taking a second to disable autofill functionality is a good move because this isn’t the first autofill bug we’ve seen, and I doubt it will be the last.
Disclosure: I work for AgileBits, makers of 1Password.
For browser extensions, the URL constructor would be even easier [for parsing]. (Yes, I know it says that IE doesn’t support it, but IE doesn’t have a proper extensions framework, so it’s irrelevant to this topic.)
