SecurityWatch has confirmed with LastPass that a vulnerability existed in its software, leaving some passwords accessible. A patch has already been released and is available to download.
The Vulnerability
We learned about the vulnerability from our reader David Hughes. We in turn informed LastPass who confirmed that the issue was created by a recent update to their system. Their fix should be released today, and we encourage everyone to update their software or download the new version from LastPass. This issue would only affect users of IE with LastPass version 2.0.20.
Our reader informed us that when he performed a memory dump on Windows IE, he was able to retrieve stored LastPass passwords in plaintext. It seems that when the password manager autofills fields in IE, the unencrypted passwords remain accessible in memory. Passwords from previous sessions do not appear to be affected, as quitting IE cleans up the memory. Additionally, passwords which have not been used to autofill fields remain encrypted and cannot be retrieved using this vulnerability.
The issue appears to only affects IE users, so everyone else is safe unless you've been using your browser to store passwords for you—which you should stop doing.
While the issue sounds scary, the scope of the vulnerability is limited. LastPass told security watch, "this particular issue would be extremely difficult to exploit - requiring that you be using IE, that you've logged in to LastPass to decrypt your data, perform a memory dump, hunt through the memory dump, and actually locate the passwords - we have made fixing this a priority because we value the privacy and security of our users' data above all else."
Furthermore, dumping the memory is far easier to do if you have direct access to the target computer—something an attacker is unlikely to have. If an attacker can remotely access your machine and perform the dump, then you probably have a lot more to worry about.
Staying Safe
If you are using this version of LastPass in IE, the update from LastPass will surely take care of the issue, so the best way to stay secure is to download it immediate.
Most importantly, do not stop using a password manager. If you're feeling wary of LastPass, consider our other Editors' Choice DashLane 2.0. Storing and creating unique passwords is a very valuable service, and will absolutely keep you safer online.
We're going to continue to recommend LastPass as a password manager, and I've been impressed with the speed with which the issue has been addressed over the past few days. If any other tipsters out there are interested, you can report issues directly to LastPass from their website —or just drop us a line.
No comments:
Post a Comment