LastPass’ Authenticator app is not secure

  • This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.
Mar 24, 2017
429
1,774
Operating System
Windows 10
Installed Antivirus
ESET
#1
I’ve found a really easy way to bypass the fingerprint/PIN authentication that protects all of your 2FA codes. The Android app, produced by LastPass, doesn’t use the same protection that their flagship app uses (like locking when idle, lock on screen off, etc).

All you need is access to individual activities (“screens” of apps). You don’t need root to access these; pre-Oreo you can use an app like Adam Szalkowski’s Activity Launcher or if you’re on Oreo you can use sika524’s QuickShortcutMaker.
This is scary as.
 

Slyguy

Level 28
Jan 27, 2017
1,754
7,048
Operating System
Other OS
#5
Already fixed. No software will ever be fully secure, but it's good to know that the team at LastPass patches any vulnerabilities within 24 hours.
24 hours? What are you smoking? They were notified in JUNE and failed to act. This is why I never used or trusted this product. It's nothing but a joke.

13th June 2017: Reported to LastPass support with proof. Jed from LP confirms that he can reproduce the issue

20th June: Followed up asking for an ETA. Support confirm that there is no ETA

7th December: Followed up, ticket pushed to “level 3 support”. Johnny from LP confirms that there are no updates and it is “still being investigated”.

8th December: Informed support that I would be publishing the details, received no response.

24th December: Published the details, received no response.

28th December: Last Pass issues a patch to fix it.
 

shmu26

Level 57
Jul 3, 2015
4,670
14,862
Operating System
Windows 10
Installed Antivirus
Default-Deny
#6
24 hours? What are you smoking? They were notified in JUNE and failed to act. This is why I never used or trusted this product. It's nothing but a joke.

13th June 2017: Reported to LastPass support with proof. Jed from LP confirms that he can reproduce the issue

20th June: Followed up asking for an ETA. Support confirm that there is no ETA

7th December: Followed up, ticket pushed to “level 3 support”. Johnny from LP confirms that there are no updates and it is “still being investigated”.

8th December: Informed support that I would be publishing the details, received no response.

24th December: Published the details, received no response.

28th December: Last Pass issues a patch to fix it.
That's not very confidence-inspiring.
 
Jul 1, 2017
565
1,790
Operating System
Windows 10
Installed Antivirus
Emsisoft
#7
24 hours? What are you smoking? They were notified in JUNE and failed to act. This is why I never used or trusted this product. It's nothing but a joke.

13th June 2017: Reported to LastPass support with proof. Jed from LP confirms that he can reproduce the issue

20th June: Followed up asking for an ETA. Support confirm that there is no ETA

7th December: Followed up, ticket pushed to “level 3 support”. Johnny from LP confirms that there are no updates and it is “still being investigated”.

8th December: Informed support that I would be publishing the details, received no response.

24th December: Published the details, received no response.

28th December: Last Pass issues a patch to fix it.
Well in this case. They probably have a bucket list of vulnerabilities and their desktop app/extensions take first priority most likely. :ROFLMAO: And then there needs to be testing that the issue can be reproduced on all devices and all versions of Android, the fix doesn't break other features (on all versions and devices), is proof against future exploits that are similar, etc on all versions and devices of Android. Needless to say it is probably a pain in the butt to develop for Android since apps don't even have the same permissions across versions. There have been other cases where they did respond as quickly as they could. 24 hours was silly of me.

To give them a break, you either need physical access to the device or have malware on your device for it to be vulnerable. Honestly if either one is the case, you are already screwed. So the key here is to not allow physical access and to prevent malware and you should be fine.
 

Slyguy

Level 28
Jan 27, 2017
1,754
7,048
Operating System
Other OS
#9
Apparently it was never exploited in the wild, at least I didn't hear about it.
I'm sure the spooks did though. LOL

I understand development cycles, but June for a critical exploit is horrid. IMO of course. I'd drop any company like a rock that failed to address a critical vulnerability within a reasonable period of time.
 
Likes: Weebarra