Locally-stored passwords are a security risk, claims a web application security provider after the revelation that Internet Explorer passwords can be viewed in plain text.
SaaSID CTO Richard Walters warned firms against such passwords after PC Magazine reported that password management service LastPass allows Internet Explorer passwords to be viewed in plain text under certain circumstances.
The vulnerability was discovered by a LastPass customer, David Hughes, who found that when he moved from one process to another and used LastPass to autofill log in details in Internet Explorer, he was able to access his passwords in plain text within his PC’s memory.
Previous IE sessions were not affected because the memory cache is cleared every time the browser is closed.
LastPass was quick to respond to the issue and has already produced a patch to prevent IE passwords being stored in plain text on users’ devices.
The vulnerability is not thought to affect any other browser and could only be exploited if a hacker gained access to a LastPass/IE user’s machine and performed a memory dump.
LastPass has advised all customers to update to the latest version of its password management software.
Walters said: "While this bug was very limited in scope and only affected people using LastPass version 2.0.20 with Internet Explorer, it serves as a reminder that storing passwords locally on devices carries a risk.
"Organisations that are concerned about the security of employees managing thousands of passwords are increasingly implementing Single Sign-On.
"To address the risk of web credentials being stolen from devices, many organisations are looking at authentication solutions that don’t rely on a credential being present on the user’s device."
SaaSID enables server-side authentication of users to web applications, preventing log in credentials from being stored on personal devices. Users do not know their login details, so they cannot write them down, share them, or have them stolen via malware on the device.