LastPass vulnerability potentially exposed passwords for Internet Explorer users

Graham Cluley
Graham Cluley @
@[email protected]
@gcluley

LastPassLastPass, the popular password management tool, has been patched to fix a security flaw that could have left the passwords of Internet Explorer users potentially exposed.

Regular readers will know that I am a big proponent of computer users protecting themselves with tools like Bitwarden, 1Password, and KeePass to help remember and generate unique passwords for every website they use.

It’s a lot better, for instance, than trusting your web browser to remember your password.

But it is essential, of course, that these password management programs are secure – and not leaking sensitive information.

Sign up to our free newsletter.
Security news, advice, and tips.

As PC Magazine describes, a flaw was found in the Windows Internet Explorer version of LastPass that meant passwords could be read in plaintext if a memory dump was performed on Internet Explorer.

Fortunately, there are some mitigating circumstances, as the folks at LastPass described to PC Magazine:

“This particular issue would be extremely difficult to exploit – requiring that you be using IE, that you’ve logged in to LastPass to decrypt your data, perform a memory dump, hunt through the memory dump, and actually locate the passwords – we have made fixing this a priority because we value the privacy and security of our users’ data above all else.”

Nevertheless, LastPass responded quickly – and included a security patch for the problem (alongside other fixes) in an important update.

Although this incident is undoubtedly embarrassing for LastPass, I still recommend password management software for all internet users. Keep them updated, and you should find them a heck lot safer than trying yourself to remember secure passwords for every website you access.

Graham Cluley
Graham Cluley •   @gcluley

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

You may also like...

3 comments on “LastPass vulnerability potentially exposed passwords for Internet Explorer users”

  1. Sam
    August 19, 2013 at 3:40 pm

    So Graham

    What password manager do you recommend/use? I'm currently using RoboForm, but I never see it mentioned in articles like yours which usually mention LastPass, 1Password, and KeePass.

    This worries me a little as the lack of mentions of RoboForm implies that it's not that good…

    Reply
    1. Graham CluleyGraham Cluley · in reply to Sam
      August 19, 2013 at 4:17 pm

      I haven't ever used RoboForm myself, but I've also not heard anything bad about it. :) I would be surprised if it does a less than competent job as it has been around for a long time.

      Reply
  2. Rodney
    August 19, 2013 at 5:31 pm

    This doesn't seem much different than any other password vault solution. If you get a memory dump with the key in it you can decrypt anything that was in the vault.

    Physical access makes plugging in a Firewire or Thunderbolt device to grab memory dumps easy.

    About the only thing I could see doing different would be to make auto-lock a default option.

    Reply

Leave a Reply to Graham Cluley Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.