A programmer identified as “Dylan M.” recently revealed that he found a vulnerability in the LastPass Authenticator (opens in new tab), a two-factor authentication (2FA) Android app similar to Google Authenticator, Authy, and others like them. The flaw could allow malicious applications to bypass the fingerprint/PIN authentication entirely and extract users' 2FA codes. After seemingly waiting six months to fix the bug since the programmer disclosed it privately, LastPass has now issued a patch that fixes the flaw.
LastPass Authenticator Fingerprint/PIN Bypass
According to Dylan, the LastPass Authenticator doesn’t use the same locking procedure as the flagship LastPass Password Manager application, and it doesn’t lock itself when it’s idle or when the phone screen is off. This allows anyone or any malicious application to access Authenticator’s two-factor authentication codes.
In other words, a malicious app could extract those 2FA codes and log in in your place (granted the attacker already has your login credentials for a given website). This sort of flaw essentially nullifies the purpose of the Authenticator, which is to give you secure and secret codes to use in combination with your password when you log in to various websites.
The programmer said that he contacted LastPass about the issue on June 13, and then several times after that after he saw that the company kept ignoring him. Eventually he seems to have decided to make the flaw public, six months later.
LastPass Patches The Flaw
Once the flaw was made public, LastPass responded on Twitter a few days later that it’s working on the issue:
As the tweet says, users who log in with strong unique passwords to their online accounts didn’t have to worry themselves too much with this issue. However, as we’ve seen from many reports, most users continue to use passwords as simple as “123456,” and the only reason even that "strong" of a password is used is because most sites require at least six characters these days and not just four.
Additionally, if everyone used a strong unique password, then 2FA apps would largely not be needed, and that includes LastPass’ Authenticator.
The good news is that LastPass didn’t take too long to fix the flaw once it was made public, so now Android users can update the Authenticator app and benefit from the increased protection. LastPass also added that if users recently had their phones stolen, they should follow the company’s instructions (opens in new tab).