LastPass closes vulnerability in 2fa app for Android
LastPass has closed a security hole in the LastPass Authenticator app for Android. The 2fa codes could be read by creating a shortcut to another part of the app and then navigating with the back button to the page with the codes.
Normally, this 2fa app also needs to be logged in with a pin or a fingerprint, provided that the user activates this. However, this relatively simple trick, which could also be performed by a rogue app, bypasses this completely and bypasses one of LastPass’ security components.
Security researcher ‘Dylan.m’ made a post on Medium on December 24 about the flaw, long after he himself reported it to LastPass in June. According to his timeline, the developer confirmed that the problem existed, but they could not give a time indication of when the creator would fix this problem. On December 8, he even announced that he was going to make the information public, to which LastPass would not have responded. Finally, on December 28, an update was pushed for the app and the leak was closed.
LastPass is a digital online vault where users can store their usernames and passwords. These are then encrypted with a single “master password” that allows users to access everything; the so-called ‘last password they need to remember’. The service is available in the form of browser extensions and an Android and iOS app.
LastPass has suffered from security vulnerabilities in the past.