Mar 1, 2011

Content Security Policy (CSP) implemented on -- the beginning of the end of bookmarklets?

If you're using Firefox 4, you now gain the additional protection afforded by CSP (Content Security Policy) on

This is a big step forward in terms of protection from any Cross Site Scripting attack - and potentially other browser based attacks - ensuring that even if one occurred, each page could control exactly what pages it can talk to so that there is no possibility of data leakage resulting from the attack.

This has been eye-opening as we've implemented it. It has a reporting infrastructure built in so you can see exactly what requests are being blocked. We've already seen over a dozen unique bookmarklets caught in our CSP blocking net.

Does this mean the end of bookmarklets? Any site with sensitive data will ultimately implement CSP, making even our own bookmarlet for logging in obsolete. Now is the time to start requesting browsers support overrides to the CSP to keep your favorite bookmarklets working everywhere.

Today, CSP is only deployed on Firefox 4, but the LastPass extension should support it on a number of other browsers in our next release.

We haven't fully locked down our CSP yet; today we're allowing every page from to talk to, but soon we'll lock this down further so that can ONLY talk to, which will be another big step forward.

Feb 27, 2011

Cross Site Scripting vulnerability reported, fixed

While no client data was impacted, we were notified at ~3pm Eastern time yesterday of a non-persistent cross site scripting vulnerability on the website. By 5:30pm it was fixed, tested and deployed; closing the hole. It's important to note that this was not a flaw with the extensions, and could only be potentially exploited if you visited a malicious site that was setup to exploit this flaw while you were logged into LastPass.

The cause of this issue was with our testing procedure for this particular case, which has been rectified. Our logs indicate that there's no sign of this being successfully utilized (beyond the person who found it). We've made a number of changes to improve security on the website and help reduce the chance of a recurrence of this kind of issue:

1) Implemented HSTS: This will ensure browsers that support it (Chrome and Firefox 4) will be forced to stay on secure SSL web requests for the domain.

2) Increased our input filtering and stateful inspection.

3) We've implemented X-Frame-Options which would make an attack like this more difficult to exploit as it makes it impossible for our pages to be embedded in another page via an iframe/frame.

4) We've begun implementing something very similar to Content Security Policy (CSP) LastPass is a browser extension so we can implement this today and we can roll it out far more quickly than the browsers themselves will support it.

We believe this issue to be resolved but are continuing to audit and implement ways to further mitigate risk. If you would like to take extra precautions in the interim a good security practice would be to avoid keeping yourself logged into LastPass if you're visiting websites of ill repute.

CSP is a big step forward in risk reduction from this kind of attack. While we're disappointed we missed this case up-front we're pleased that will lead to an even stronger product in the near term.

For those wanting to learn more about non-persistent Cross Site Scripting (XSS) you can read about it here:

Our thanks to Mike Cardwell for responsibly reporting this issue.