Chrome Extension slowing down all sites

Have questions about LastPass, or having problems using it? Ask for help here!

Moderators: admin, anatoly_LP, chantieLP, Israel, JoeSiegrist, robyn

Chrome Extension slowing down all sites

Postby haykuro » Thu Dec 28, 2017 2:53 pm

This "mouseup" code in onloadwff.js is executing on every mouse click.

On some sites with a lot of inputs the following code can take > 10 seconds.

https://gist.github.com/anonymous/84575938823a42b55638e507694f11ec (updated snippet: @12/28/2017 2:21PM)

Screenshot of the offending line: https://i.imgur.com/Oz608ai.png
another screenshot: https://i.imgur.com/1183Cwy.png

Can someone @ LastPass please fix this?

The only way I can work on some sites is by disabling the extension and re-enabling when I need to login to something.

For Reference i am on the following:
Version: 4.3.0
Built: Wed Nov 15 2017 10:05:09 GMT-0500 (EST)

EDIT @ 4:20PM:

Created another sample for you to test this out:
https://gist.githack.com/anonymous/6aea35595465b8682e63b32a309995b5/raw/5dcf5ab8bcee753c07931c673b7f0912e480c21e/last_pass_demo.html#

This demo has a running timer that updates every millisecond. When you click the "Test Slowness" link you'll notice the javascript engine HANGS.

This hang is excessive, not sure what LastPass team can do to fix this..
haykuro
 
Posts: 6
Joined: Thu Dec 28, 2017 12:34 pm

Re: Chrome Extension slowing down all sites

Postby haykuro » Wed Jan 03, 2018 6:10 pm

bumping this thread..

Still no update from anyone @ LastPass ?
haykuro
 
Posts: 6
Joined: Thu Dec 28, 2017 12:34 pm

[cross post] Chrome Extension Slowing Down ALL sites

Postby haykuro » Wed Jan 03, 2018 6:11 pm

See my original post here: viewtopic.php?f=6&t=286955
haykuro
 
Posts: 6
Joined: Thu Dec 28, 2017 12:34 pm

Re: Chrome Extension slowing down all sites

Postby joelbrage660 » Mon Jan 22, 2018 10:28 am

ReBump this makes every website slow and totally destroys any kind of web development/proiling.
joelbrage660
 
Posts: 1
Joined: Mon Jan 22, 2018 10:26 am

Re: Chrome Extension slowing down all sites

Postby mb708 » Thu Mar 08, 2018 6:43 pm

Same here, freezes up multiple sites. Any idea of a fix on this? Excluding the site doesn't work either, have to disable the extension .
mb708
 
Posts: 1
Joined: Thu Mar 08, 2018 6:41 pm

Re: Chrome Extension slowing down all sites

Postby jonfree » Tue Jun 05, 2018 3:40 am

My users have just reported this issue on a page within our app where there are 2556+ form fields on one page. I've tested it with and without the extension and it's only valid with the extension in place. Has anyone seen a fix to this yet?
jonfree
 
Posts: 1
Joined: Tue Jun 05, 2018 3:38 am

Re: Chrome Extension slowing down all sites

Postby haykuro » Tue Jun 05, 2018 6:48 pm

Greetings all who have replied..

Some more info on this issue:

I submitted a report to the CVE on April 17th, 2018 it has since been approved and an official CVE # has been assigned: https://cve.mitre.org/cgi-bin/cvename.c ... 2018-10193

LastPass has yet to reach out with any sort of response other than one twitter response found here: https://twitter.com/LastPassHelp/status ... 5650071552 where they acknowledge receiving my report.

Sounds like internally no one has budged on this issue. I'm not sure if it's a serious undertaking, but I would at least like an explanation why a for loop is required on every mouse click to go through EVERY SINGLE input element on the page, given how common it is for certain large enterprise web interfaces to contain a couple thousand inputs.

Not only is this an inconvenience to enterprise users who are being DoS'd by their own browser extension, ANY malicious website can trigger this DoS by injecting a couple inputs to the page, enough to slow down or cause headaches for users worldwide.

LastPass, do the right thing and at least engage your developers to provide a reasoning for this aggressive and greedy for loop.
haykuro
 
Posts: 6
Joined: Thu Dec 28, 2017 12:34 pm

Re: Chrome Extension slowing down all sites

Postby haykuro » Tue Jul 03, 2018 12:37 pm

Latest Exploitable Version of LastPass: 4.15.0 (LATEST, @ July 3, 2018)

Video Proof: https://www.youtube.com/watch?v=wTcYWZwq3TE

More Info:

- viewtopic.php?f=12&t=286955
- https://cve.mitre.org/cgi-bin/cvename.c ... 2018-10193
haykuro
 
Posts: 6
Joined: Thu Dec 28, 2017 12:34 pm

Re: Chrome Extension slowing down all sites

Postby jpenny84 » Tue Jul 03, 2018 2:07 pm

haykuro Wrote:Latest Exploitable Version of LastPass: 4.15.0 (LATEST, @ July 3, 2018)

Video Proof: https://www.youtube.com/watch?v=wTcYWZwq3TE

More Info:

- viewtopic.php?f=12&t=286955
- https://cve.mitre.org/cgi-bin/cvename.c ... 2018-10193


Did you try disabling the 9-10 other extensions that I see running in your browser toolbar?
jpenny84
 
Posts: 8619
Joined: Tue Mar 06, 2012 9:10 pm

Re: Chrome Extension slowing down all sites

Postby haykuro » Tue Jul 03, 2018 2:17 pm

Yes.

The other extensions are not related. This issue only happens when LastPass is active, and i know it comes from onloadwff.js (an audit from the PoC shows this file, and not some other extension, consuming large amounts of resources).

"Allows remote attackers to cause a denial of service (browser hang) via an HTML document because the resource consumption of onloadwff.js grows with the number of INPUT elements." - https://nvd.nist.gov/vuln/detail/CVE-2018-10193

It's been months i've been trying to report this, would be nice to have someone from LastPass's Q/A or dev team test this from a clean environment (as i have) instead of trying to pass blame on other extensions.
haykuro
 
Posts: 6
Joined: Thu Dec 28, 2017 12:34 pm

Next

Return to General Support & Troubleshooting

Who is online

Users browsing this forum: Google Feedfetcher, js873983 and 47 guests