- A programmer discovered an exploit in the LastPass Authenticator app to bypass scanning a fingerprint or entering a pin for access.
- Users could bypass the extra layer of security by opening the individual activity through a third-party app like Action Launcher.
- The company acknowledged the issue the same day and an update is now available to fix the issue.
Update (12/29): We brought you news on Wednesday of a security flaw with LastPass’ Authenticator app. Within a day’s time, the company has acknowledged the issue and pushed an update to fix it.
LastPass Authenticator offers users the option to require a fingerprint or pin code to open the app. The security flaw allowed an individual to access Authenticator’s one-time codes without first scanning a fingerprint or inputting a passcode. A programmer was able to access the full app by opening individual activities with an app like Action Launcher.
LastPass says that a new update closes that hole. The app requires either a fingerprint or a pin to see the number no matter how it was opened if a user has the extra security feature enabled. The update is now live and you can get it by hitting the button below.
The company is also making changes to its support system. Since the security flaw wasn’t passed through its bug tracker, the issue was not immediately escalated as it should have been. LastPass says it “resolved the procedural issue to ensure future reports are handled correctly.”
Previous coverage (12/27): LastPass’s support page on Twitter issued a statement on the matter, saying that the company is aware of the issue and is “evaluating it thoroughly.” LastPass also said that those using strong passwords don’t need to do anything yet, though that hasn’t quelled concerns regarding the issue:
We’re aware of the concern raised with the Authenticator app and are evaluating it thoroughly.
Users who continue to use strong passwords do not need to take any action at this time.
— LastPass Support (@LastPassHelp) December 27, 2017
On a smaller note, Dylan reached out to me via email and wanted to clarify that Hacker Noon agreed to host his post on the website and that he received no compensation from Hacker Noon for the post. Dylan works for Red River Software and does not write for Hacker Noon.
Original story (12/27): For those of you using LastPass as your password manager of choice, you’ve probably heard of or used the company’s Authenticator app. Released last year, LastPass Authenticator introduces two-factor authentication to your LastPass account and other supported applications.
As useful as the app is, it appears that there is a glaring security hole that bypasses any fingerprint or PIN authentication you have in place.
That hole was discovered by Dylan, a programmer over at Hacker Noon who found that all you need to do to access your 2FA codes is access to individual activities. There is no need to root your device, either — Dylan says you can use an app like Activity Launcher for devices running Android Nougat and older, as well as QuickShortcutMaker for devices running Android Oreo.
According to the programmer, you are looking for access to the “com.lastpass.authenticator.activities.SettingsActivity” activity. Once you open it, press the back arrow button and you make it to the Main activity, where you see all of your 2FA codes. Dylan says that he did not need to provide his fingerprint or PIN number to access the information at any point.
Here’s where things get a bit hairier. According to Dylan, he first reported the workaround in June, with a LastPass support representative confirming he could replicate the issue. When Dylan followed up with LastPass, he was reportedly told that there was no ETA for a fix.
Fast forward to December, and Dylan was reportedly told that the issue was “still being investigated” and that there were no updates. Dylan then decided to publish the details regarding the issue a little over two weeks after he last communicated with LastPass.
In other words, the issue seems to still exist in the LastPass Authenticator app and there doesn’t appear to be a fix anytime soon. To be sure, Android Authority reached out to LastPass for comment on the matter and will update this article accordingly.
Still, it’s a bit weird to see this issue around since June and no update has been issued to close the workaround. Also, just in case you were wondering, this issue doesn’t appear to exist in the iOS version.