LastPass security hole (cross site scripting) ... possibly solved now.

[Hermite15]

... thought it was worth starting a new thread

lastpass cross scripting vulnerability revealed:
http://www.theregister.co.uk/2011/03/01/password_management_site_xss_bug/
https://grepular.com/LastPass_Vulnerability_Exposes_Account_Details

forum thread:
http://forums.lastpass.com/viewtopic.php?f=12&t=60559

lastpass response:
http://blog.lastpass.com/2011/02/cross-site-scripting-vulnerability.html
http://blog.lastpass.com/2011/03/content-security-policy-csp-implemented.html

... I guess - if we don't take LP recent fixes into account - people using FF NoScript on any FF version or simply using FF4 (CSP implementation https://wiki.mozilla.org/Security/CSP/Specification ) are protected.

edit: to make things clear if needed, the issue obviously only exists or may exist when you login to your LastPass account directly on LastPass website, not when using the browser plugin.

[Hermite15]

just posted this on NS forums:
http://forums.informaction.com/viewtopic.php?f=8&t=5928#p25741

expecting feedback there...

[Lisandro]

Thanks Logos. Please, post back the results. A lot of us use Lastpass...

[Hermite15]

what bothers me the most tbh is Chrome that doesn't have any serious JS and/or cross site scripting protection... there was something, experimental feature found in about:flags, called "XSS auditor", it's not there anymore in the last dev version. They may have fully integrated it but I don't see it in the change log, and there's no new option in the UI.

[Hermite15]

here's the answer from NoScript developer:
http://forums.informaction.com/viewtopic.php?f=8&t=5928&p=25805#p25803

[Asyn]

here's the answer from NoScript developer:
http://forums.informaction.com/viewtopic.php?f=8&t=5928&p=25805#p25803

Thanks Logos..!!
No wonder, that I like NS so much...
asyn

[Lisandro]

Thanks Logos. NS is doing its job.