LastPass plugs IE add-on vulnerability

LastPass plugs IE add-on vulnerability

Summary: Passwords could be exposed during memory dump.

TOPICS: Security

LastPass Monday issued an update for its password management software including a fix for a vulnerability that exposed passwords stored in Internet Explorer, the company said on its blog.

The vulnerability, which requires a number of steps and conditions to exploit, was in the LastPass add-on for IE. The vulnerability did not affect any LastPass add-ons for other browsers.

The company is recommending that users upgrade to this new version.

The update fixes an issue that affected users logged into the LastPass IE extension version 2.0.20. The site passwords used in IE by those users "were potentially accessible in a memory dump," according to the company's blog.

The company said exposure to the vulnerability was minimal and that as "soon as the browser session was ended, the data was cleared from memory.  Privacy and security of our users’ data is paramount. Malware is essentially the only way this could be exploited and we continue to encourage you to utilize anti-malware to protect your data."

LastPass also included sync, password configurations, and history updates, and support for IE 11 in the latest version.

Topic: Security


John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • My memeory says...

    I just took a dump.
  • Glad I got off that boat.

    I left back when Lastpass had their first breach. Seems to be a more and more common thing with exploits in their software. Played with keepass and just couldn't keep with it. Been with roboform for a while now, a pretty good alternative. Haven't seen a exploit or security article about them at all.