“Lastpass” is a website which offers the user a safe and easy way to secure their passwords. The service can be used on every system and there are also existing plugins for every type of browsers, so the service can be used really easy.
For such a website the secureness of the userdata is very important, because the company does not want to lose their customers trust.
Lastpass.com offers , like many other companies the possibilty of “responsible disclosures” for the report of a security issue. The researchers who were the first to discover a valid security issue will be listed in the Hall of Fame. We’ve discovered an open redirect as well as a information disclosure on the website and we wrote an e-mail to the certain responsible security team at the 02nd of mai 2013 .
The full path disclosure was possible here, because of the fact that in the newer php versions, the header()-instruction does not allow line breaks and throws an error instead. Unfortunately no header injection, but at least an information disclosure bug. The affected parameter also allowed us to redirect a user to whatever domain we wanted.
The code should have looked like that:
We’ve got an answer within a hour with the happy message that the security issue were valid and that they’re going to fix them asap. After the fix we’ve been added to the Lastpass Hall of Fame :)
The Team of Internetwache.org