LastPass’ Authenticator app is not secure

Danielx64

Danielx64

Level 10
Thread author
Verified
Well-known
Mar 24, 2017
481
I’ve found a really easy way to bypass the fingerprint/PIN authentication that protects all of your 2FA codes. The Android app, produced by LastPass, doesn’t use the same protection that their flagship app uses (like locking when idle, lock on screen off, etc).

All you need is access to individual activities (“screens” of apps). You don’t need root to access these; pre-Oreo you can use an app like Adam Szalkowski’s Activity Launcher or if you’re on Oreo you can use sika524’s QuickShortcutMaker.
Click to expand...
This is scary as.
 
  • Like
Reactions: Weebarra, Andy Ful, spaceoctopus and 8 others
F

ForgottenSeer 58943

DeepWeb said:
Already fixed. No software will ever be fully secure, but it's good to know that the team at LastPass patches any vulnerabilities within 24 hours.
Click to expand...

24 hours? What are you smoking? They were notified in JUNE and failed to act. This is why I never used or trusted this product. It's nothing but a joke.

13th June 2017: Reported to LastPass support with proof. Jed from LP confirms that he can reproduce the issue

20th June: Followed up asking for an ETA. Support confirm that there is no ETA

7th December: Followed up, ticket pushed to “level 3 support”. Johnny from LP confirms that there are no updates and it is “still being investigated”.

8th December: Informed support that I would be publishing the details, received no response.

24th December: Published the details, received no response.

28th December: Last Pass issues a patch to fix it.
 
  • Like
Reactions: spaceoctopus, Azertydv, DeepWeb and 6 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
ForgottenSeer 58943 said:
24 hours? What are you smoking? They were notified in JUNE and failed to act. This is why I never used or trusted this product. It's nothing but a joke.

13th June 2017: Reported to LastPass support with proof. Jed from LP confirms that he can reproduce the issue

20th June: Followed up asking for an ETA. Support confirm that there is no ETA

7th December: Followed up, ticket pushed to “level 3 support”. Johnny from LP confirms that there are no updates and it is “still being investigated”.

8th December: Informed support that I would be publishing the details, received no response.

24th December: Published the details, received no response.

28th December: Last Pass issues a patch to fix it.
Click to expand...
That's not very confidence-inspiring.
 
  • Like
Reactions: Weebarra, spaceoctopus, Vasudev and 1 other person
DeepWeb

DeepWeb

Level 25
Verified
Top Poster
Well-known
Jul 1, 2017
1,396
ForgottenSeer 58943 said:
24 hours? What are you smoking? They were notified in JUNE and failed to act. This is why I never used or trusted this product. It's nothing but a joke.

13th June 2017: Reported to LastPass support with proof. Jed from LP confirms that he can reproduce the issue

20th June: Followed up asking for an ETA. Support confirm that there is no ETA

7th December: Followed up, ticket pushed to “level 3 support”. Johnny from LP confirms that there are no updates and it is “still being investigated”.

8th December: Informed support that I would be publishing the details, received no response.

24th December: Published the details, received no response.

28th December: Last Pass issues a patch to fix it.
Click to expand...
Well in this case. They probably have a bucket list of vulnerabilities and their desktop app/extensions take first priority most likely. :ROFLMAO: And then there needs to be testing that the issue can be reproduced on all devices and all versions of Android, the fix doesn't break other features (on all versions and devices), is proof against future exploits that are similar, etc on all versions and devices of Android. Needless to say it is probably a pain in the butt to develop for Android since apps don't even have the same permissions across versions. There have been other cases where they did respond as quickly as they could. 24 hours was silly of me.

To give them a break, you either need physical access to the device or have malware on your device for it to be vulnerable. Honestly if either one is the case, you are already screwed. So the key here is to not allow physical access and to prevent malware and you should be fine.
 
  • Like
Reactions: Weebarra, Andy Ful, spaceoctopus and 2 others
F

ForgottenSeer 58943

shmu26 said:
Apparently it was never exploited in the wild, at least I didn't hear about it.
Click to expand...

I'm sure the spooks did though. LOL

I understand development cycles, but June for a critical exploit is horrid. IMO of course. I'd drop any company like a rock that failed to address a critical vulnerability within a reasonable period of time.
 
  • Like
Reactions: Weebarra
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
    • Applause
    • +Reputation
New Update Bitwarden just launched a new authenticator app.
Replies
9
Views
905
Passwords and passkeys
aidunno
A
Gandalf_The_Grey
    • Like
    • Wow
    • +Reputation
Retool blames breach on Google Authenticator MFA cloud sync feature
Replies
8
Views
1,988
News Archive
Sandbox Breaker
Sandbox Breaker
Gandalf_The_Grey
    • Like
    • +Reputation
    • Thanks
Downloading an authentication app? Don't fall for the rogue ones
Replies
2
Views
899
News Archive
Mathew_200
Mathew_200

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top