It was recently reported that the LastPass Authenticator app for Android is plagued by a huge security flaw which allows hackers to easily bypass the need for entering a PIN or feed fingerprint data in order to access a user’s two-factor authentication codes by opening individual activities through apps likes the Action Launcher. The team over at LastPass was quick to recognize the severe vulnerability and has now announced that the security loophole has been fixed through an update which has been rolled out to the LastPass Authenticator app’s Android version.
LastPass notified the user community of the security flaw’s addressal via an official blog post saying, “When a researcher discovered a workaround for the extra the PIN/fingerprint prompt, our engineering team fixed the issue that allowed the workaround and the update is available now. Now when the fingerprint/PIN feature is enabled, users must provide their fingerprint or PIN code in order to view the one-time code.”
Aside from informing users about the security flaw’s solution, LastPass’ blog post assured them that the vulnerability, which was discovered by a programmer named Dylan, was not that easy to exploit as it required malicious parties to physically access a user’s device, and even if they managed to get hold of a user’s device, the stolen access codes would be useless without the login details for the service they are used. The blog post further assures LastPass Authenticator users that despite the apparent severity of the security loophole, the vulnerability never posed a risk of exposing the sensitive TOTP (Time-based One Time Password) generation mechanism.
Now that a fix for the security flaw has been rolled out, LastPass has urged the users to update the Authenticator app to shield their personal data from acts of security intrusion by malicious parties, and has also revealed that the official support process for reporting security issues has also been improved.