"This is possible to bypass, because you can make them match by finding a site that will iframe an untrusted page." "This will prompt if you try to clickjack filling in or copying credentials though, because frame_and_topdoc_has_same_domain() returns false," Ormandy continued. Users who click on the link open the malicious page or resource rather than the one that appears to be safe. In its most common form, clickjacking attacks place a malicious link in a transparent layer on top of a visible link that looks innocuous. "That means via some clickjacking, you can leak the credentials for the previous site logged in for the current tab."Ĭlickjacking is a class of attack that conceals the true destination of the site or resource displayed in a Web link. "Because do_popupregister() is never called, ftd_get_frameparenturl() just uses the last cached value in g_popup_url_by_tabid for the current tab," Ormandy wrote. In some cases, this unexpected method caused the popups to open with a password of the most recently visited site. In certain situations, websites could produce a popup by creating an HTML iframe that linked to the Lastpass popupfilltab.html window rather than through the expected procedure of calling a function called do_popupregister(). In a write-up that became public on Sunday, Ormandy said the flaw stemmed from the way the extension generated popup windows. The vulnerability was discovered late last month by Google Project Zero researcher Tavis Ormandy, who privately reported it to LastPass. Developers of the LastPass password manager have patched a vulnerability that made it possible for websites to steal credentials for the last account the user logged into using the Chrome or Opera extension.
0 kommentar(er)
