LastPass vulnerability potentially exposed passwords for Internet Explorer users

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

LastPassLastPass, the popular password management tool, has been patched to fix a security flaw that could have left the passwords of Internet Explorer users potentially exposed.

Regular readers will know that I am a big proponent of computer users protecting themselves with tools like Bitwarden, 1Password, and KeePass to help remember and generate unique passwords for every website they use.

It’s a lot better, for instance, than trusting your web browser to remember your password.

But it is essential, of course, that these password management programs are secure – and not leaking sensitive information.

Sign up to our free newsletter.
Security news, advice, and tips.

As PC Magazine describes, a flaw was found in the Windows Internet Explorer version of LastPass that meant passwords could be read in plaintext if a memory dump was performed on Internet Explorer.

Fortunately, there are some mitigating circumstances, as the folks at LastPass described to PC Magazine:

“This particular issue would be extremely difficult to exploit – requiring that you be using IE, that you’ve logged in to LastPass to decrypt your data, perform a memory dump, hunt through the memory dump, and actually locate the passwords – we have made fixing this a priority because we value the privacy and security of our users’ data above all else.”

Nevertheless, LastPass responded quickly – and included a security patch for the problem (alongside other fixes) in an important update.

Although this incident is undoubtedly embarrassing for LastPass, I still recommend password management software for all internet users. Keep them updated, and you should find them a heck lot safer than trying yourself to remember secure passwords for every website you access.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

3 comments on “LastPass vulnerability potentially exposed passwords for Internet Explorer users”

  1. Sam

    So Graham

    What password manager do you recommend/use? I'm currently using RoboForm, but I never see it mentioned in articles like yours which usually mention LastPass, 1Password, and KeePass.

    This worries me a little as the lack of mentions of RoboForm implies that it's not that good…

    1. Graham CluleyGraham Cluley · in reply to Sam

      I haven't ever used RoboForm myself, but I've also not heard anything bad about it. :) I would be surprised if it does a less than competent job as it has been around for a long time.

  2. Rodney

    This doesn't seem much different than any other password vault solution. If you get a memory dump with the key in it you can decrypt anything that was in the vault.

    Physical access makes plugging in a Firewire or Thunderbolt device to grab memory dumps easy.

    About the only thing I could see doing different would be to make auto-lock a default option.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.