LastPass’ Authenticator app is not secure

Discussion in 'Security News' started by Danielx64, Dec 28, 2017.

  1. Danielx64

    Danielx64 Level 8

    Mar 24, 2017
    396
    1,695
    Australia
    Windows 10
    ESET
    This is scary as.
     
  2. upnorth

    upnorth Level 11

    Jul 27, 2015
    520
    2,764
    Sweden
  3. Slyguy

    Slyguy Level 22

    Jan 27, 2017
    1,116
    4,458
    Fortinet Engineer
    USA
    Other OS
    Try Bit Warden. Opensource. Professional. Secure. FREE

    The team that did Bit Warden wanted a Last Pass clone, but not the increasing price of membership to Last Pass or the security issues it's had over time.
     
  4. DeepWeb

    DeepWeb Level 9

    Jul 1, 2017
    440
    1,430
    Nurse
    On a journey
    Windows 10
    Emsisoft
    Already fixed. No software will ever be fully secure, but it's good to know that the team at LastPass patches any vulnerabilities within 24 hours.
     
  5. Slyguy

    Slyguy Level 22

    Jan 27, 2017
    1,116
    4,458
    Fortinet Engineer
    USA
    Other OS
    24 hours? What are you smoking? They were notified in JUNE and failed to act. This is why I never used or trusted this product. It's nothing but a joke.

    13th June 2017: Reported to LastPass support with proof. Jed from LP confirms that he can reproduce the issue

    20th June: Followed up asking for an ETA. Support confirm that there is no ETA

    7th December: Followed up, ticket pushed to “level 3 support”. Johnny from LP confirms that there are no updates and it is “still being investigated”.

    8th December: Informed support that I would be publishing the details, received no response.

    24th December: Published the details, received no response.

    28th December: Last Pass issues a patch to fix it.
     
    spaceoctopus, Heikko, DeepWeb and 6 others like this.
  6. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,293
    13,672
    Utopia
    That's not very confidence-inspiring.
     
  7. DeepWeb

    DeepWeb Level 9

    Jul 1, 2017
    440
    1,430
    Nurse
    On a journey
    Windows 10
    Emsisoft
    Well in this case. They probably have a bucket list of vulnerabilities and their desktop app/extensions take first priority most likely. :ROFLMAO: And then there needs to be testing that the issue can be reproduced on all devices and all versions of Android, the fix doesn't break other features (on all versions and devices), is proof against future exploits that are similar, etc on all versions and devices of Android. Needless to say it is probably a pain in the butt to develop for Android since apps don't even have the same permissions across versions. There have been other cases where they did respond as quickly as they could. 24 hours was silly of me.

    To give them a break, you either need physical access to the device or have malware on your device for it to be vulnerable. Honestly if either one is the case, you are already screwed. So the key here is to not allow physical access and to prevent malware and you should be fine.
     
  8. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,293
    13,672
    Utopia
    Apparently it was never exploited in the wild, at least I didn't hear about it.
     
    Weebarra and upnorth like this.
  9. Slyguy

    Slyguy Level 22

    Jan 27, 2017
    1,116
    4,458
    Fortinet Engineer
    USA
    Other OS
    I'm sure the spooks did though. LOL

    I understand development cycles, but June for a critical exploit is horrid. IMO of course. I'd drop any company like a rock that failed to address a critical vulnerability within a reasonable period of time.
     
    Weebarra likes this.
Loading...
Similar Threads Forum Date
Best Authy Alternative: LastPass Authenticator with Cloud Backup Backup, Sync and Encryption Jul 11, 2017
LastPass says it fixed two-factor authentication bug related to use of Google Authenticator Security News Apr 22, 2017
Which Authenticator apps do you use? Android, iOS and Windows 10 Mobile Apr 16, 2017