LastPass Authenticator Update Fixes a Serious Security Vulnerability
LastPass is one of the most popular password managers on Android, and for good reason: It’s incredibly secure. But the same couldn’t be said of LastPass Authenticator, its companion application, which made headlines when a security researcher discovered a serious vulnerability in its code. Luckily, it was patched this week.
LastPass Authenticator offers 2FA on LastPass accounts and other supported apps. It’s one of the few multi-factor authentication apps that gives users the option of using a fingerprint and/or PIN instead of a passcode, but the system had a serious flaw: Almost any app could access the app’s TOTP (multi-factor) codes.
It wasn’t too challenging, either. As detailed in a Medium post by a programmer in early December, an attacker could use a third-party app to open LastPass Authenticator’s settings activity and the settings menu, which exposed the 2FA codes.
In a blog post, LastPass announced an update for the Authenticator app that fixes the issue. The company says that now, users must provide their fingerprint or PIN code to view the one-time code, and that the one-time codes are useless without an associated username and password.
The company advises all users to update Authenticator to the latest version, and admits that “proper steps were not taken to escalate and resolve it in a timely manner” — the company was informed of vulnerability in June, it turns out. It adds that it’s “identified and resolved the procedural issue” to ensure that future bug reports are correctly handled and escalated.
LastPass recommends users not to reuse their LastPass master password, and to use strong passwords with two-factor authentication. Finally, the company states that it will “constantly evolve” its bug bounty program to make its product better.