LastPass plugs IE add-on vulnerability

LastPass plugs IE add-on vulnerability

Summary: Passwords could be exposed during memory dump.

SHARE:
TOPICS: Security
2

LastPass Monday issued an update for its password management software including a fix for a vulnerability that exposed passwords stored in Internet Explorer, the company said on its blog.

The vulnerability, which requires a number of steps and conditions to exploit, was in the LastPass add-on for IE. The vulnerability did not affect any LastPass add-ons for other browsers.

The company is recommending that users upgrade to this new version.

The update fixes an issue that affected users logged into the LastPass IE extension version 2.0.20. The site passwords used in IE by those users "were potentially accessible in a memory dump," according to the company's blog.

The company said exposure to the vulnerability was minimal and that as "soon as the browser session was ended, the data was cleared from memory.  Privacy and security of our users’ data is paramount. Malware is essentially the only way this could be exploited and we continue to encourage you to utilize anti-malware to protect your data."

LastPass also included sync, password configurations, and history updates, and support for IE 11 in the latest version.

Topic: Security

About

John Fontana is a journalist focusing in identity, privacy and security issues. Currently, he is the Identity Evangelist for cloud identity security vendor Ping Identity, where he blogs about relevant issues related to digital identity.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • My memeory says...

    I just took a dump.
    bufbarnaby1999
  • Glad I got off that boat.

    I left back when Lastpass had their first breach. Seems to be a more and more common thing with exploits in their software. Played with keepass and just couldn't keep with it. Been with roboform for a while now, a pretty good alternative. Haven't seen a exploit or security article about them at all.
    WalkingCryptomaniac