LastPass vulnerability potentially exposed passwords for Internet Explorer users

Graham Cluley

LastPassLastPass, the popular password management tool, has been patched to fix a security flaw that could have left the passwords of Internet Explorer users potentially exposed.

Regular readers will know that I am a big proponent of computer users protecting themselves with tools like Bitwarden, 1Password, and KeePass to help remember and generate unique passwords for every website they use.

It’s a lot better, for instance, than trusting your web browser to remember your password.

But it is essential, of course, that these password management programs are secure – and not leaking sensitive information.

As PC Magazine describes, a flaw was found in the Windows Internet Explorer version of LastPass that meant passwords could be read in plaintext if a memory dump was performed on Internet Explorer.

Fortunately, there are some mitigating circumstances, as the folks at LastPass described to PC Magazine:

“This particular issue would be extremely difficult to exploit – requiring that you be using IE, that you’ve logged in to LastPass to decrypt your data, perform a memory dump, hunt through the memory dump, and actually locate the passwords – we have made fixing this a priority because we value the privacy and security of our users’ data above all else.”

Nevertheless, LastPass responded quickly – and included a security patch for the problem (alongside other fixes) in an important update.

Although this incident is undoubtedly embarrassing for LastPass, I still recommend password management software for all internet users. Keep them updated, and you should find them a heck lot safer than trying yourself to remember secure passwords for every website you access.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

3 Replies to “LastPass vulnerability potentially exposed passwords for Internet Explorer users”

  1. So Graham

    What password manager do you recommend/use? I'm currently using RoboForm, but I never see it mentioned in articles like yours which usually mention LastPass, 1Password, and KeePass.

    This worries me a little as the lack of mentions of RoboForm implies that it's not that good…

    1. I haven't ever used RoboForm myself, but I've also not heard anything bad about it. :) I would be surprised if it does a less than competent job as it has been around for a long time.

  2. This doesn't seem much different than any other password vault solution. If you get a memory dump with the key in it you can decrypt anything that was in the vault.

    Physical access makes plugging in a Firewire or Thunderbolt device to grab memory dumps easy.

    About the only thing I could see doing different would be to make auto-lock a default option.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES