Page 1 of 3

Chrome Extension slowing down all sites

PostPosted: Thu Dec 28, 2017 2:53 pm
by haykuro
This "mouseup" code in onloadwff.js is executing on every mouse click.

On some sites with a lot of inputs the following code can take > 10 seconds.

https://gist.github.com/anonymous/84575938823a42b55638e507694f11ec (updated snippet: @12/28/2017 2:21PM)

Screenshot of the offending line: https://i.imgur.com/Oz608ai.png
another screenshot: https://i.imgur.com/1183Cwy.png

Can someone @ LastPass please fix this?

The only way I can work on some sites is by disabling the extension and re-enabling when I need to login to something.

For Reference i am on the following:
Version: 4.3.0
Built: Wed Nov 15 2017 10:05:09 GMT-0500 (EST)

EDIT @ 4:20PM:

Created another sample for you to test this out:
https://gist.githack.com/anonymous/6aea35595465b8682e63b32a309995b5/raw/5dcf5ab8bcee753c07931c673b7f0912e480c21e/last_pass_demo.html#

This demo has a running timer that updates every millisecond. When you click the "Test Slowness" link you'll notice the javascript engine HANGS.

This hang is excessive, not sure what LastPass team can do to fix this..

Re: Chrome Extension slowing down all sites

PostPosted: Wed Jan 03, 2018 6:10 pm
by haykuro
bumping this thread..

Still no update from anyone @ LastPass ?

[cross post] Chrome Extension Slowing Down ALL sites

PostPosted: Wed Jan 03, 2018 6:11 pm
by haykuro
See my original post here: viewtopic.php?f=6&t=286955

Re: Chrome Extension slowing down all sites

PostPosted: Mon Jan 22, 2018 10:28 am
by joelbrage660
ReBump this makes every website slow and totally destroys any kind of web development/proiling.

Re: Chrome Extension slowing down all sites

PostPosted: Thu Mar 08, 2018 6:43 pm
by mb708
Same here, freezes up multiple sites. Any idea of a fix on this? Excluding the site doesn't work either, have to disable the extension .

Re: Chrome Extension slowing down all sites

PostPosted: Tue Jun 05, 2018 3:40 am
by jonfree
My users have just reported this issue on a page within our app where there are 2556+ form fields on one page. I've tested it with and without the extension and it's only valid with the extension in place. Has anyone seen a fix to this yet?

Re: Chrome Extension slowing down all sites

PostPosted: Tue Jun 05, 2018 6:48 pm
by haykuro
Greetings all who have replied..

Some more info on this issue:

I submitted a report to the CVE on April 17th, 2018 it has since been approved and an official CVE # has been assigned: https://cve.mitre.org/cgi-bin/cvename.c ... 2018-10193

LastPass has yet to reach out with any sort of response other than one twitter response found here: https://twitter.com/LastPassHelp/status ... 5650071552 where they acknowledge receiving my report.

Sounds like internally no one has budged on this issue. I'm not sure if it's a serious undertaking, but I would at least like an explanation why a for loop is required on every mouse click to go through EVERY SINGLE input element on the page, given how common it is for certain large enterprise web interfaces to contain a couple thousand inputs.

Not only is this an inconvenience to enterprise users who are being DoS'd by their own browser extension, ANY malicious website can trigger this DoS by injecting a couple inputs to the page, enough to slow down or cause headaches for users worldwide.

LastPass, do the right thing and at least engage your developers to provide a reasoning for this aggressive and greedy for loop.

Re: Chrome Extension slowing down all sites

PostPosted: Tue Jul 03, 2018 12:37 pm
by haykuro
Latest Exploitable Version of LastPass: 4.15.0 (LATEST, @ July 3, 2018)

Video Proof: https://www.youtube.com/watch?v=wTcYWZwq3TE

More Info:

- viewtopic.php?f=12&t=286955
- https://cve.mitre.org/cgi-bin/cvename.c ... 2018-10193

Re: Chrome Extension slowing down all sites

PostPosted: Tue Jul 03, 2018 2:07 pm
by jpenny84
haykuro Wrote:Latest Exploitable Version of LastPass: 4.15.0 (LATEST, @ July 3, 2018)

Video Proof: https://www.youtube.com/watch?v=wTcYWZwq3TE

More Info:

- viewtopic.php?f=12&t=286955
- https://cve.mitre.org/cgi-bin/cvename.c ... 2018-10193


Did you try disabling the 9-10 other extensions that I see running in your browser toolbar?

Re: Chrome Extension slowing down all sites

PostPosted: Tue Jul 03, 2018 2:17 pm
by haykuro
Yes.

The other extensions are not related. This issue only happens when LastPass is active, and i know it comes from onloadwff.js (an audit from the PoC shows this file, and not some other extension, consuming large amounts of resources).

"Allows remote attackers to cause a denial of service (browser hang) via an HTML document because the resource consumption of onloadwff.js grows with the number of INPUT elements." - https://nvd.nist.gov/vuln/detail/CVE-2018-10193

It's been months i've been trying to report this, would be nice to have someone from LastPass's Q/A or dev team test this from a clean environment (as i have) instead of trying to pass blame on other extensions.