{"id":15362,"date":"2016-07-27T13:46:13","date_gmt":"2016-07-27T17:46:13","guid":{"rendered":"http:\/\/mjtsai.com\/blog\/?p=15362"},"modified":"2016-07-27T13:46:13","modified_gmt":"2016-07-27T17:46:13","slug":"lastpass-url-parsing-bug","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2016\/07\/27\/lastpass-url-parsing-bug\/","title":{"rendered":"LastPass URL Parsing Bug"},"content":{"rendered":"

Mathias Karlsson<\/a> (Hacker News<\/a>, Slashdot<\/a>):<\/p>\n

\n

Stealing all your passwords by just visiting a webpage. Sounds too bad to be true? That’s what I thought too before I decided to check out the security of the LastPass browser extension.<\/p>\n

[…]<\/p>\n

I reported this to LastPass through their responsible disclosure page and the report was handled very professionally. The fix was pushed in less than a day(!), and they even awarded me with a bug bounty of $1,000.<\/p>\n

[…]<\/p>\n

Should we stop using password managers? No. They are still much better than the alternative (password reuse).<\/p>\n

Although, taking a second to disable autofill functionality is a good move because this isn’t the first autofill bug<\/a> we’ve seen, and I doubt it will be the last.<\/p>\n<\/blockquote>\n

xpx777<\/a>:<\/p>\n

Disclosure: I work for AgileBits, makers of 1Password.<\/p>\n

For browser extensions, the URL constructor<\/a> would be even easier [for parsing]. (Yes, I know it says that IE doesn’t support it, but IE doesn’t have a proper extensions framework, so it’s irrelevant to this topic.)<\/p><\/blockquote>","protected":false},"excerpt":{"rendered":"

Mathias Karlsson (Hacker News, Slashdot): Stealing all your passwords by just visiting a webpage. Sounds too bad to be true? That’s what I thought too before I decided to check out the security of the LastPass browser extension. […] I reported this to LastPass through their responsible disclosure page and the report was handled very […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"","apple_news_api_id":"","apple_news_api_modified_at":"","apple_news_api_revision":"","apple_news_api_share_url":"","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[131,1410,270,981,489,96],"class_list":["post-15362","post","type-post","status-publish","format-standard","hentry","category-technology","tag-bug","tag-lastpass","tag-parser","tag-passwords","tag-url","tag-web"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/15362","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=15362"}],"version-history":[{"count":1,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/15362\/revisions"}],"predecessor-version":[{"id":15363,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/15362\/revisions\/15363"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=15362"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=15362"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=15362"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}