LastPass vulnerability potentially exposed passwords for Internet Explorer users

LastPassLastPass, the popular password management tool, has been patched to fix a security flaw that could have left the passwords of Internet Explorer users potentially exposed.

Regular readers will know that I am a big proponent of computer users protecting themselves with tools like Bitwarden, 1Password, and KeePass to help remember and generate unique passwords for every website they use.

It’s a lot better, for instance, than trusting your web browser to remember your password.

But it is essential, of course, that these password management programs are secure - and not leaking sensitive information.

As PC Magazine describes, a flaw was found in the Windows Internet Explorer version of LastPass that meant passwords could be read in plaintext if a memory dump was performed on Internet Explorer.

Fortunately, there are some mitigating circumstances, as the folks at LastPass described to PC Magazine:

This particular issue would be extremely difficult to exploit - requiring that you be using IE, that you’ve logged in to LastPass to decrypt your data, perform a memory dump, hunt through the memory dump, and actually locate the passwords - we have made fixing this a priority because we value the privacy and security of our users’ data above all else.”

Nevertheless, LastPass responded quickly - and included a security patch for the problem (alongside other fixes) in an important update.

Although this incident is undoubtedly embarrassing for LastPass, I still recommend password management software for all internet users. Keep them updated, and you should find them a heck lot safer than trying yourself to remember secure passwords for every website you access.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episodes:

, , ,

3 Responses

  1. Sam

    August 19, 2013 at 3:40 pm #

    So Graham

    What password manager do you recommend/use? I’m currently using RoboForm, but I never see it mentioned in articles like yours which usually mention LastPass, 1Password, and KeePass.

    This worries me a little as the lack of mentions of RoboForm implies that it’s not that good…

    • Graham Cluley in reply to Sam.

      August 19, 2013 at 4:17 pm #

      I haven’t ever used RoboForm myself, but I’ve also not heard anything bad about it. :) I would be surprised if it does a less than competent job as it has been around for a long time.

  2. Rodney

    August 19, 2013 at 5:31 pm #

    This doesn’t seem much different than any other password vault solution. If you get a memory dump with the key in it you can decrypt anything that was in the vault.

    Physical access makes plugging in a Firewire or Thunderbolt device to grab memory dumps easy.

    About the only thing I could see doing different would be to make auto-lock a default option.

Leave a Reply