LastPass security hole (cross site scripting) ... possibly solved now.

… thought it was worth starting a new thread

lastpass cross scripting vulnerability revealed:
http://www.theregister.co.uk/2011/03/01/password_management_site_xss_bug/
https://grepular.com/LastPass_Vulnerability_Exposes_Account_Details

forum thread:
http://forums.lastpass.com/viewtopic.php?f=12&t=60559

lastpass response:
http://blog.lastpass.com/2011/02/cross-site-scripting-vulnerability.html
http://blog.lastpass.com/2011/03/content-security-policy-csp-implemented.html

… I guess - if we don’t take LP recent fixes into account - people using FF NoScript on any FF version or simply using FF4 (CSP implementation https://wiki.mozilla.org/Security/CSP/Specification ) are protected.

edit: to make things clear if needed, the issue obviously only exists or may exist when you login to your LastPass account directly on LastPass website, not when using the browser plugin.

just posted this on NS forums:
http://forums.informaction.com/viewtopic.php?f=8&t=5928#p25741

expecting feedback there…

Thanks Logos. Please, post back the results. A lot of us use Lastpass… ::slight_smile:

what bothers me the most tbh is Chrome that doesn’t have any serious JS and/or cross site scripting protection… there was something, experimental feature found in about:flags, called “XSS auditor”, it’s not there anymore in the last dev version. They may have fully integrated it but I don’t see it in the change log, and there’s no new option in the UI.

here’s the answer from NoScript developer:
http://forums.informaction.com/viewtopic.php?f=8&t=5928&p=25805#p25803

Thanks Logos…!!
No wonder, that I like NS so much… :wink:
asyn

Thanks Logos. NS is doing its job.