The bug allowed attackers to see any passwords using in a recent browsing session by performing a “memory dump”, and would have worked even if the user was not logged into LastPass.
“Password safe” company Lastpass has admitted to a bug in its Internet Explorer plug-in which could expose passwords from multiple online accounts after a browsing session.
The bug allowed attackers to see any passwords using in a recent browsing session by performing a “memory dump”, and would have worked even if the user was not logged into LastPass. LastPass emphasised, though, that the bug required physical access to a computer, and only affected users using Internet Explorer and version 2.0.20 of the LastPass plug-in.
“The scope of the issue is minimal, but privacy and security of our users’ data is paramount, so we prioritized releasing a fix,” a company spokesperson said in a report by Mashable.
The company said that the vulnerability was addressed due to the risk it could have been exploited by malware, and has issued a patch, with a new version available here.
“The updated build also contains a fix for an issue in the LastPass addon in IE, whereby if you were logged into the LastPass IE extension version 2.0.20 site passwords were potentially accessible in a memory dump,” the company said in its blog post. “The above issue only affected the IE addon, and as soon as the browser session ended, the data would have been cleared from memory. Malware is essentially the only way this could be exploited and we continue to encourage you to utilize anti-malware to protect your data.”
The update also adds notifications that users are employing “weak” or duplicate passwords in Internet Explorer – a feature which had previously been rolled out to Chrome and Firefox. “As you login to your sites, LastPass will let you know if you’re using a weak password, or if you logged in with a password that you’re also using for another account stored in your vault,” the company says. “This will help you be proactive about generating strong passwords, and eliminating password re-use.”
Earlier this month, Google’s Chrome browser came under fire for showing off user passwords in plain text to anyone who shared the same OS login. Elliot Kember showed off how passwords can easily be seen in plain text in the “passwords” tab within Chrome, simply by pressing a button saying, “Show.”
Kember described Google’s password strategy as “insane”, saying, “Google isn’t clear about its password security. Users […] don’t know it works like this. They don’t expect it to be this easy to see their passwords. Every day, millions of normal, everyday users are saving their passwords in Chrome. This is not okay.”
Previous ESET coverage of passwords – including how to strengthen yours – can be found here.