LastPass’ Authenticator app might not be as secure as you think

LastPass’ Authenticator app might not be as secure as you think


  • A programmer discovered an exploit in the LastPass Authenticator app
  • The exploit supposedly allows you to view 2FA codes without your fingerprint or PIN
  • LastPass has yet to respond for comment on the issue

 


 

Update (12/27): LastPass’s support page on Twitter issued a statement on the matter, saying that the company is aware of the issue and is “evaluating it thoroughly.” LastPass also said that those using strong passwords don’t need to do anything yet, though that hasn’t quelled concerns regarding the issue:

 

On a smaller note, Dylan reached out to me via email and wanted to clarify that Hacker Noon agreed to host his post on the website and that he received no compensation from Hacker Noon for the post. Dylan works for Red River Software and does not write for Hacker Noon.

Original story (12/27): For those of you using LastPass as your password manager of choice, you’ve probably heard of or used the company’s Authenticator app. Released last year, LastPass Authenticator introduces two-factor authentication to your LastPass account and other supported applications.

As useful as the app is, it appears that there is a glaring security hole that bypasses any fingerprint or PIN authentication you have in place.

That hole was discovered by Dylan, a programmer over at Hacker Noon who found that all you need to do to access your 2FA codes is access to individual activities. There is no need to root your device, either — Dylan says you can use an app like Activity Launcher for devices running Android Nougat and older, as well as QuickShortcutMaker for devices running Android Oreo.

According to the programmer, you are looking for access to the “com.lastpass.authenticator.activities.SettingsActivity” activity. Once you open it, press the back arrow button and you make it to the Main activity, where you see all of your 2FA codes. Dylan says that he did not need to provide his fingerprint or PIN number to access the information at any point.

EDITOR'S PICK

LastPass vs 1Password vs Enpass: Which of these password managers is the best?

As we use our smartphones and other mobile devices more and more often to purchase goods online or sign onto paid services, we also have to create and use more sophisticated passwords. While we are …

Here’s where things get a bit hairier. According to Dylan, he first reported the workaround in June, with a LastPass support representative confirming he could replicate the issue. When Dylan followed up with LastPass, he was reportedly told that there was no ETA for a fix.

Fast forward to December, and Dylan was reportedly told that the issue was “still being investigated” and that there were no updates. Dylan then decided to publish the details regarding the issue a little over two weeks after he last communicated with LastPass.

In other words, the issue seems to still exist in the LastPass Authenticator app and there doesn’t appear to be a fix anytime soon. To be sure, Android Authority reached out to LastPass for comment on the matter and will update this article accordingly.

Still, it’s a bit weird to see this issue around since June and no update has been issued to close the workaround. Also, just in case you were wondering, this issue doesn’t appear to exist in the iOS version.


Comments

This publication has no comments yet.

Friend, let's talk!

Write me your opinion about the information you have read. Be one of the first and get 100 PDA. Come on! You can do it!

index.Информация!

Visitors who are in the Guests group can not leave comments on this publication

Recommended
4PDA.uz - Market | Tas-ix

4PDA.uz - Market

uSoft inc.
Interesting news