LastPass’ Authenticator app is not secure

Danielx64

Level 10
Thread author
Verified
Well-known
Mar 24, 2017
481
I’ve found a really easy way to bypass the fingerprint/PIN authentication that protects all of your 2FA codes. The Android app, produced by LastPass, doesn’t use the same protection that their flagship app uses (like locking when idle, lock on screen off, etc).

All you need is access to individual activities (“screens” of apps). You don’t need root to access these; pre-Oreo you can use an app like Adam Szalkowski’s Activity Launcher or if you’re on Oreo you can use sika524’s QuickShortcutMaker.
This is scary as.
 
F

ForgottenSeer 58943

Already fixed. No software will ever be fully secure, but it's good to know that the team at LastPass patches any vulnerabilities within 24 hours.

24 hours? What are you smoking? They were notified in JUNE and failed to act. This is why I never used or trusted this product. It's nothing but a joke.

13th June 2017: Reported to LastPass support with proof. Jed from LP confirms that he can reproduce the issue

20th June: Followed up asking for an ETA. Support confirm that there is no ETA

7th December: Followed up, ticket pushed to “level 3 support”. Johnny from LP confirms that there are no updates and it is “still being investigated”.

8th December: Informed support that I would be publishing the details, received no response.

24th December: Published the details, received no response.

28th December: Last Pass issues a patch to fix it.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
24 hours? What are you smoking? They were notified in JUNE and failed to act. This is why I never used or trusted this product. It's nothing but a joke.

13th June 2017: Reported to LastPass support with proof. Jed from LP confirms that he can reproduce the issue

20th June: Followed up asking for an ETA. Support confirm that there is no ETA

7th December: Followed up, ticket pushed to “level 3 support”. Johnny from LP confirms that there are no updates and it is “still being investigated”.

8th December: Informed support that I would be publishing the details, received no response.

24th December: Published the details, received no response.

28th December: Last Pass issues a patch to fix it.
That's not very confidence-inspiring.
 

DeepWeb

Level 25
Verified
Top Poster
Well-known
Jul 1, 2017
1,396
24 hours? What are you smoking? They were notified in JUNE and failed to act. This is why I never used or trusted this product. It's nothing but a joke.

13th June 2017: Reported to LastPass support with proof. Jed from LP confirms that he can reproduce the issue

20th June: Followed up asking for an ETA. Support confirm that there is no ETA

7th December: Followed up, ticket pushed to “level 3 support”. Johnny from LP confirms that there are no updates and it is “still being investigated”.

8th December: Informed support that I would be publishing the details, received no response.

24th December: Published the details, received no response.

28th December: Last Pass issues a patch to fix it.
Well in this case. They probably have a bucket list of vulnerabilities and their desktop app/extensions take first priority most likely. :ROFLMAO: And then there needs to be testing that the issue can be reproduced on all devices and all versions of Android, the fix doesn't break other features (on all versions and devices), is proof against future exploits that are similar, etc on all versions and devices of Android. Needless to say it is probably a pain in the butt to develop for Android since apps don't even have the same permissions across versions. There have been other cases where they did respond as quickly as they could. 24 hours was silly of me.

To give them a break, you either need physical access to the device or have malware on your device for it to be vulnerable. Honestly if either one is the case, you are already screwed. So the key here is to not allow physical access and to prevent malware and you should be fine.
 
F

ForgottenSeer 58943

Apparently it was never exploited in the wild, at least I didn't hear about it.

I'm sure the spooks did though. LOL

I understand development cycles, but June for a critical exploit is horrid. IMO of course. I'd drop any company like a rock that failed to address a critical vulnerability within a reasonable period of time.
 
  • Like
Reactions: Weebarra

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top