Subdomain autofill feature raises questions over LastPass security

Password manager criticized for its sub-par approach to subdomains

LastPass, one of the world’s most popular password managers, came under fire this week, after it became apparent that the service autofills passwords across all subdomains by default.

While it’s clear that this feature has been implemented to provide users with quick and easy access to different domains under the same parent site, web security specialists said autofill-by-default throws up a myriad of potential security issues.

Taking to Twitter earlier this week, James Kettle, researcher at PortSwigger Web Security, pointed LastPass users to an undated support center post on the password manager’s website, which reads: “By default, LastPass uses the 2nd level domain name to decide if a site’s credentials should be autofilled.”

Although this functionality can make it easier for users to access content across sites, Kettle said it was “equivalent to a website setting a non-HttpOnly overscoped cookie containing your plaintext password”.

The potential dangers of this practice can be illustrated using the examplebank.com domain.

Although examplebank.com might be subject to regular security audits, an attacker could seek to obtain a user’s password by compromising a less secure subdomain, such as marketing.examplebank.com, as LastPass would happily volunteer the credentials using the autofill feature.

Some sites – such as blogging platforms – intentionally provide customers with their own subdomain. The LastPass subdomain autofill feature exposes them to cross-user attacks.

Another example of how password autofill across subdomains increases the attack surface lies in the fact that organizations often delegate subdomains to third parties for non-critical functions, such as support centers.

The autofill password feature could also leave LastPass users open to subdomain takeover attacks.

Armed with knowledge of the feature, an attacker looking to compromise an account could simply target the subdomain with the weakest security.

“I think password managers are great but if you’re using LastPass and haven’t disabled autofill, an attacker who wants your password has a lot of options,” Kettle told The Daily Swig.

Users can mitigate this risk by disabling the default autofill feature in LastPass.

The Daily Swig has reached out to the developer for comment.