With users signing up for an ever-increasing number of online services, there has been an innate need for password managers. Users have further gravitated towards apps that can secure their online identity with the use of two-factor authentication. But, what would be your reaction if I told you that LastPass Authenticator for Android isn’t completely secure?
Yes, you’re reading it right. The LastPass Authenticator app on Android, that’s used to log into LastPass and other supported apps, has a security loophole that enables anyone to bypass the PIN or fingerprint authentication you’ve used to top off the security of your 2FA codes stored in the app.
This vulnerability has been discovered by Dylan, a programmer over at Hacker Noon. He has suggested that the Android app for the password manager is not using the protection standards similar to its flagship app, leaving the 2FA codes accessible via individual activities on Android. It can be accessed both in person, as well as via malicious code injection and has been present in the app since June.
To access the 2FA codes, you don’t even need to root the device and can access the same using apps such as Activity Launcher on pre-Oreo devices and QuickShortcutMaker on Android Oreo. If you install any of these apps, you can access ‘com.lastpass.authenticator.activities.SettingsActivity’ activity and press the back button to see the main activity where all 2FA codes lay in all their “unsecured” glory. The LastPass Authenticator app on iOS is completely secure and does not suffer from such a security loophole.
LastPass’ Official Statement
The company has released an official statement via their Support Twitter account, where they state that they’re aware of the security concerns with LastPass authenticator app on Android. The same is being “thoroughly evaluated” and the users who use strong password have nothing to fear.
We’re aware of the concern raised with the Authenticator app and are evaluating it thoroughly.
Users who continue to use strong passwords do not need to take any action at this time.
— LastPass Support (@LastPassHelp) December 27, 2017
So, this simply means that it’ll be better for you, LastPass users, to either stop using the Android app or replace weaker passwords with stronger ones for the time being. How do you feel about this simple yet concerning vulnerability? Share with us your opinion in the comments down below.