These findings are un-exploitable under most circumstances. Remote logins (such as logins to a computer via logmein.com, a desktop shortcut or a LogMeIn RSS feed) are safe from cross-site request forgery (CSRF) exploits since the hostname is randomized during remote access. A typical remote URL would appear as https://dudley-wlibwwlcqq.app107.logmein.com/, which is not possible for an attacker to anticipate. To exploit one of the reported findings a user would have to visit a malicious website while being logged in to a local LogMeIn installation as an administrator via the https://localhost:2002 interface.

Users are only at risk from malicious websites when they have the local LogMeIn web interface opened and they’re logged in with administrator credentials – this is typically done by opening a browser and manually pointing it at https://localhost:2002 or by clicking the LogMeIn tray icon and selecting Open LogMeIn from the menu. The only reason a user would do this is to change LogMeIn host configuration settings.

LogMeIn recommends one of the following:

- Before opening the local web interface, users should close all other browser windows and tabs. When finished with the local LogMeIn interface, users should click Log Out or Disconnect.

- If the above is not feasible, do not access the local web interface. All settings and options available from the local web interface are also available via logins through the logmein.com website, and that is not at risk from CSRF.

Thank you,
Trip Kucera
Director, Corporate Communications
LogMeIn, Inc.

Nice work