Note: This issue has been already been resolved and pushed to the Lastpass users.
Stealing all your passwords by just visiting a webpage. Sounds too bad to be true? That’s what I thought too before I decided to check out the security of the LastPass browser extension.
For those who don’t know, LastPass is one of the worlds most popular password managers.
I started by noticing that the extension added some HTML code to every page I visited, so I decided to dig into how that worked. A few cups of coffee later, I found something that looked really, really bad.
The bug that allowed me to extract passwords was found in the autofill functionality. First, the code parsed the URL to figure out which domain the browser was currently at, then it filled any login forms with the stored credentials.However, the URL parsing code was flawed (bug in URL parsing? shocker!).
Original URL: http://feedproxy.google.com/~r/feedsapi/BwPx/~3/vWB8EU4072M/