LastPass vulnerability potentially exposed passwords for Internet Explorer users

LastPassLastPass, the popular password management tool, has been patched to fix a security flaw that could have left the passwords of Internet Explorer users potentially exposed.

Regular readers will know that I am a big proponent of computer users protecting themselves with tools like Bitwarden, 1Password, and KeePass to help remember and generate unique passwords for every website they use.

It’s a lot better, for instance, than trusting your web browser to remember your password.

But it is essential, of course, that these password management programs are secure - and not leaking sensitive information.

As PC Magazine describes, a flaw was found in the Windows Internet Explorer version of LastPass that meant passwords could be read in plaintext if a memory dump was performed on Internet Explorer.

Fortunately, there are some mitigating circumstances, as the folks at LastPass described to PC Magazine:

This particular issue would be extremely difficult to exploit - requiring that you be using IE, that you’ve logged in to LastPass to decrypt your data, perform a memory dump, hunt through the memory dump, and actually locate the passwords - we have made fixing this a priority because we value the privacy and security of our users’ data above all else.”

Nevertheless, LastPass responded quickly - and included a security patch for the problem (alongside other fixes) in an important update.

Although this incident is undoubtedly embarrassing for LastPass, I still recommend password management software for all internet users. Keep them updated, and you should find them a heck lot safer than trying yourself to remember secure passwords for every website you access.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:

, , ,

3 Responses

  1. Sam

    August 19, 2013 at 3:40 pm #

    So Graham

    What password manager do you recommend/use? I’m currently using RoboForm, but I never see it mentioned in articles like yours which usually mention LastPass, 1Password, and KeePass.

    This worries me a little as the lack of mentions of RoboForm implies that it’s not that good…

    • Graham Cluley in reply to Sam.

      August 19, 2013 at 4:17 pm #

      I haven’t ever used RoboForm myself, but I’ve also not heard anything bad about it. :) I would be surprised if it does a less than competent job as it has been around for a long time.

  2. Rodney

    August 19, 2013 at 5:31 pm #

    This doesn’t seem much different than any other password vault solution. If you get a memory dump with the key in it you can decrypt anything that was in the vault.

    Physical access makes plugging in a Firewire or Thunderbolt device to grab memory dumps easy.

    About the only thing I could see doing different would be to make auto-lock a default option.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.