We are big proponents of password managers, especially LastPass, so when we saw this little piece from PCMag.com hit the news, we thought it best to help spread the word. Apparently IE maintaining some passwords in cleartext while in memory after autofilling a form is the cause for the concern.
Of course LastPass must store your master password is in cleartext, regardless. One could propose that since your master password is in cleartext and your passwords are encrypted using that master password, it would be easy for an attacker to decrypt them anyway. Still, this additional step raises the bar for would-be attackers.
SecurityWatch has confirmed with LastPass that a vulnerability existed in its software, leaving some passwords accessible. A patch has already been released and is available to download.
We learned about the vulnerability from our reader David Hughes. We in turn informed LastPass who confirmed that the issue was created by a recent update to their system. Their fix should be released today, and we encourage everyone to update their software or download the new version from LastPass. This issue would only affect users of IE with LastPass version 2.0.20.
Our reader informed us that when he performed a memory dump on Windows IE, he was able to retrieve stored LastPass passwords in plaintext. It seems that when the password manager autofills fields in IE, the unencrypted passwords remain accessible in memory. Passwords from previous sessions do not appear to be affected, as quitting IE cleans up the memory. Additionally, passwords which have not been used to autofill fields remain encrypted and cannot be retrieved using this vulnerability.
Do you know of additional controls that LastPass uses to stop attackers from using your master password in memory? Let us know in the comments below. See ya!