Hello, welcome to the Monday, April 3rd, 2017 edition of the Santernet Snowlander's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Today we'll start with attacks against the password managers. Of course, I've mentioned a few in the

past. And let's start with LastPass again.

Google's project, Zero of course, has spent a lot of time with LastPass recently and found

a couple of vulnerabilities already.

The latest vulnerability is kind of interesting because it affected more than just one specific

piece of code.

The problem here was how LastPass used JavaScript.

Now in order to find password forms, LastPass does inject JavaScript into webpages that

are being loaded in the browser.

And Google's Project Zero here of course looked at the Chrome extension

for LastPass. This JavaScript is typically safe, it's isolated from the page itself, but it also

has special privileges. It can, for example, execute code on the host. The problem here with LastPass was that they didn't initialize all the variables that

are used in their privileged JavaScript, which then can lead to these variables being defined

by the page, not by this privileged world or this privileged JavaScript.

Now, LastPass was very fast in the releasing a patch for this particular problem and the patch

is available.

So you should download this as soon as possible.

The next issue is with key pass and that's really not all that severe.

It's really a nice presentation that was presented at B-Sides New Orleans and goes over various ways how KeyPass can be attacked.

Now, of course, like any one of these systems, you can

...