LastPass’ Authenticator app might not be as secure as you think
- A programmer discovered an exploit in the LastPass Authenticator app
- The exploit supposedly allows you to view 2FA codes without your fingerprint or PIN
- LastPass has yet to respond for comment on the issue
For those of you using LastPass as your password manager of choice, you've probably heard of or used the company's Authenticator app. Released last year, LastPass Authenticator introduces two-factor authentication to your LastPass account and other supported applications.
As useful as the app is, it appears that there is a glaring security hole that bypasses any fingerprint or PIN authentication you have in place.
That hole was discovered by Dylan, a programmer over at Hacker Noon who found that all you need to do to access your 2FA codes is access to individual activities. There is no need to root your device, either — Dylan says you can use an app like Activity Launcher for devices running Android Nougat and older, as well as QuickShortcutMaker for devices running Android Oreo.
According to the programmer, you are looking for access to the "com.lastpass.authenticator.activities.SettingsActivity" activity. Once you open it, press the back arrow button and you make it to the Main activity, where you see all of your 2FA codes. Dylan says that he did not need to provide his fingerprint or PIN number to access the information at any point.
Here's where things get a bit hairier. According to Dylan, he first reported the workaround in June, with a LastPass support representative confirming he could replicate the issue. When Dylan followed up with LastPass, he was reportedly told that there was no ETA for a fix.
Fast forward to December, and Dylan was reportedly told that the issue was "still being investigated" and that there were no updates. Dylan then decided to publish the details regarding the issue a little over two weeks after he last communicated with LastPass.
In other words, the issue seems to still exist in the LastPass Authenticator app and there doesn't appear to be a fix anytime soon. To be sure, Android Authority reached out to LastPass for comment on the matter and will update this article accordingly.
Still, it's a bit weird to see this issue around since June and no update has been issued to close the workaround. Also, just in case you were wondering, this issue doesn't appear to exist in the iOS version.