[pwman]

LastPass has pushed Google for years to give us a way to avoid using the browser viewport: infobars was a solution to this issue -- you can see one of my pleas for it back in January 2012: https://code.google.com/p/chromium/issues/detail?id=39511

We do a lot to try to protect our usage of viewports using iframes, but it's not good enough and we'll figure out a way to do better. LastPass has generally told people to use the extension directly to login as it's more secure, we'll need to go further here as well.

Sean was clever using http://chrome-extension.pw which looks close -- but LastPass also detects you enter your master password on an incorrect domain and notifies you immediately of your mistake, mitigating this a great deal. This has existed for a long time before Sean's report and we did not implement as a response to Sean's bug report -- we implemented it as a general way for people to know about password resuse and to be notified of being phished.

Making this practical is a lot tougher than email phishing -- you really need an XSS on a page that people use to login, and unlike email phishing it is immediately caught.

[bqe]

Sean here: the mitigation you speak of (notifying the user that they've typed in their master password) is actually another vulnerability.

A malicious page can detect the fact that LastPass put that notification, and then it knows exactly what your master password is without even contacting LastPass. I've told your security team about this but haven't yet received a response.

[pwman]

Yes, we're pushing the notification to a new tab (which can't be blocked or interfered with) once it goes through QA -- likely early next week.

Also even multifactor now must be new location verified so the ability to exploit this is now extremely low. Any attempt utilize those credentials will be blocked an email will be generated just like what happened in the non-multifactor case.

Hopefully you've gained enough attention for the chrome issue: https://code.google.com/p/chromium/issues/detail?id=453093 to be implemented sooner rather than later, if you could do me a favor and follow it to keep the pressure on Google to help mitigate phishing risk we'd appreciate it.

[DrewHintz]

> Yes, we're pushing the notification to a new tab (which can't be blocked or interfered with)

We went through a similar iteration with Password Alert. If you're setting focus on the new tab, an onBlur event could indicate that the current page has lost focus, perhaps due to the warning tab. I think notifying the user is still net-positive for the user's security.

[pwman]

Interesting, I hadn't heard of Password Alert -- we should definitely share notes if you're open to it -- I'd love to be able to generalize what we're doing to other domains if we could -- it's unfortunately cpu intense how we're doing it.

[DrewHintz]

Sure thing, I'm happy to help. Our code is at https://github.com/google/password-alert and feel free to email me any questions at drew@overt.org

However we haven't published a good design document about the client. If you're interested, let me know and I'll try to publish one.

[komaromy]

Sending the notification still seems like a better idea than not doing it. If a page has gotten you to enter the password at all then it's pretty likely that it knows the significance before the notification.

[level3]

But does the page even need to get you to enter it? Could it be possible to set up a hidden password field for LastPass to monitor, and then run a dictionary attack in the background, waiting for the notification?

(I don't use LastPass, so I don't know anything about how this feature is designed.)

[DrewHintz]

This can be protected against by the extension looking at keyboardEvents and verifying the isTrusted attribute. Here are details about how we do this in Password Alert: https://github.com/google/password-alert/blob/master/SECURIT...

Before Chrome implemented isTrusted, it was a bit more tricky and we had to rely on a variety of attributes that did not have as much of a security guarantee.

[level3]

Thanks for the helpful explanation! Those seem like fair mitigations.

Reading more on it, though, since isTrusted can apparently be spoofed, it looks like the main obstacles are the (2) rate-limiting and the (3) intentional collisions.

For (2), I suspect typical users would have a memorizable master password that's more susceptible to brute forcing, but of course it depends on the actual rate limit and how long you can keep the script running. Alternatively, I suppose a malicious script could overwhelm the rate limit so that the user wouldn't receive a legitimate warning.

For (3), I wonder whether LastPass has a similar mitigation? From what I understand, they don't store the actual password, so all you would need is a matching hash.

I'd be interested to know more details about LastPass's protections.

Edit: I just saw pwman's response above.

[DrewHintz]

> isTrusted can apparently be spoofed

isTrusted cannot be spoofed in this situation, which is its intended use in Chrome. A Chrome extension in the isolated world is receiving events from the main world and checking isTrusted for those events.

[Latty]

Not great, but at that point they don't get your two factor token at least.

[bqe]

Why not? If I suppress the notification, you won't see it. You will then click "Log in" and I'll redirect you to your 2FA screen. I think it's ineffective at what it's trying to do.

[DrewHintz]

> LastPass also detects you enter your master password on an incorrect domain and notifies you immediately of your mistake

Interesting! How does it do this?

[willidiots]

I'm assuming by the same mechanism that offers to save previously-entered passwords. It's always sniffing anything you type into a password field.

[TwoBit]

How would it know it's a password field and not just some text input box that uses * characters?

[joshschreuder]

<input type="password" /> I assume

[nfm]

For what it's worth, I'd definitely prefer logins from new devices to require an email confirmation when 2FA is enabled.