Password manager LastPass offers an authenticator app simply called LastPass Authenticator, which was recently revealed to have poor security on Android. The authentication app is designed to add an element of security by offering an alternative to the traditional 2FA SMS method of authorizing access. Turns out, though, that Android users may be more vulnerable by using LastPass Authenticator, as it gives hackers a (convoluted) way to nab the codes.
Following public news of the security issue, LastPass has issued a statement explaining that its engineers have fixed the aforementioned vulnerability — LastPass users on Android who utilize the Authenticator app should be sure to update right away. According to the company, users who enable the fingerprint/PIN extra security feature will need to provide one of those to view the one-time authenticating code.
The company goes on to explain that LastPass’s vulnerability wouldn’t have been easy to exploit since the hacker would need access to the device itself, as well as the user’s password and username. Still, the potential was there for a hacker to get access and now, assuming you’ve updated the Authenticator App, it isn’t.
In addition to pushing out a fix, LastPass says it has “identified and resolved the procedural issue” that resulted in this issue not being quickly escalated and fixed. This should result in any future problems being dealt with more rapidly, according to the company.
Finally, the company is encouraging its customers and users to practice what it calls “good cyber hygiene,” including staying on alert for phishing attacks, enabling 2FA (and anything else you use that offers it), plus never using or speaking of your LastPass master password, which would leave your data vulnerable. As well, the company says, always update your software when an update is available and use anti-virus software on your computer.
SOURCE: Lastpass Blog