News, Token, Tokenless, Vulnerability

LastPass Vulnerability Exposes Account Details

Shazam, best known as a music-identification app, is venturing deeper into the social TV sphere Monday with the expansion of its Shazam for TV second-screen experience.

Shows and advertisements have already been compatible with Shazam via partnerships — notably the London Olympics and Super Bowl commercials — but now Shazam works with all shows on 160 channels in the U.S. except for some local programming.

When I used Shazam while watching Friends, for example, the app pulled up cast details, music from the episode, celebrity gossip about the actors, trivia, Twitter messages, the show’s web pages (i.e. official, IMDB and Wikipedia), merchandise and the option to share Shazam’s information on Facebook and Twitter.

For sports broadcasts, the app aggregates schedules, scores and statistics (check out the gallery below).

Doug Garland, Shazam’s chief revenue officer, tells Mashable that the “much richer experience” will encourage users to return to the app. The celebrity buzz data alone combs 140 sites, while Facebook integration pushes Shazam activity to users’ Timelines.

Article by Grepular

LASTPASS RESPONSE:

Cross Site Scripting vulnerability reported, fixed
While no client data was impacted, we were notified at ~3pm Eastern time yesterday of a non-persistent cross site scripting vulnerability on the LastPass.com website. By 5:30pm it was fixed, tested and deployed; closing the hole. It’s important to note that this was not a flaw with the extensions, and could only be potentially exploited if you visited a malicious site that was setup to exploit this flaw while you were logged into LastPass.

The cause of this issue was with our testing procedure for this particular case, which has been rectified. Our logs indicate that there’s no sign of this being successfully utilized (beyond the person who found it). We’ve made a number of changes to improve security on the LastPass.com website and help reduce the chance of a recurrence of this kind of issue:

1) Implemented HSTS: http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security This will ensure browsers that support it (Chrome and Firefox 4) will be forced to stay on secure SSL web requests for the lastpass.com domain.

2) Increased our input filtering and stateful inspection.

3) We’ve implemented X-Frame-Options https://developer.mozilla.org/en/the_x-frame-options_response_header which would make an attack like this more difficult to exploit as it makes it impossible for our pages to be embedded in another page via an iframe/frame.

4) We’ve begun implementing something very similar to Content Security Policy (CSP) https://wiki.mozilla.org/Security/CSP/Specification LastPass is a browser extension so we can implement this today and we can roll it out far more quickly than the browsers themselves will support it.

We believe this issue to be resolved but are continuing to audit and implement ways to further mitigate risk. If you would like to take extra precautions in the interim a good security practice would be to avoid keeping yourself logged into LastPass if you’re visiting websites of ill repute.

CSP is a big step forward in risk reduction from this kind of attack. While we’re disappointed we missed this case up-front we’re pleased that will lead to an even stronger product in the near term.

For those wanting to learn more about non-persistent Cross Site Scripting (XSS) you can read about it here: http://en.wikipedia.org/wiki/Cross-site_scripting

 

Advertisements
Standard

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s