Tuesday, 3 September 2013

LastPass Passwords Exposed

Password management firm LastPass, which stores passwords on a secure server online and can automatically log users into sites, confirmed a bug in its software on Monday that exposed some of its users' passwords. The vulnerability, which LastPass says would have been very difficult to exploit, only affected users running version 1.0.20 of the LastPass plug-in on Windows computers.

A bug exploit would require the attacker to perform a "memory dump," which occurs when the user attempts to connect one process to another. This would grant the attacker access to LastPass passwords used on the machine during the most recent browsing session, even if the browser was no longer logged into LastPass.

"If exploited, passwords stored in LastPass were accessible when performing a memory dump of the browser," the spokesperson said. "If a user had launched IE and logged into the LastPass add-on, thereby locally decrypting their data, passwords that had been used in that browsing session would be visible in the resulting memory dump," the LastPass spokesperson said.

The spokesperson added that the issue only affected the add-on, and as soon as the browser session ended, the data would have been cleared from memory. "Any data not used during the browser session would have remained encrypted and would not appear in the memory dump in plain text."
"This also means someone would need physical access to the computer in order to take advantage of the exploit" 
 
"If a user had utilized generated passwords, it would be even more difficult for someone to identify the individual passwords in the memory dump," the spokesperson explained. "Creating and managing secure passwords with a password manager will still accomplish far more in securing you online — you'll need to take extra steps to protect yourself from malware, but this should not affect your decision to use LastPass."
Although this issue may seem worrisome, LastPass says password management services are still more secure than relying on typical log-in information to access accounts.



SOURCE: MASHABLE

0 comments:

Post a Comment