LastPass Fixes Major Security Flaw in Authenticator App

Password manager LastPass has issued an update to the Android version of its app to fix a flaw discovered by a security researcher who bypassed the security feature to log into the application.

LastPass, arguably the world’s most popular password manager, has fixed yet another critical security flaw that left its Android app open to an exploit. While password managers are an excellent tool to have at one’s disposal, the possibility of an intruder gaining access to the master password could spell big trouble. To combat this, password managers typically have an added layer of security from accessing the vault. LastPass deploys a fingerprint/PIN security feature as its two-factor authentication. However, a developer was able to exploit the feature last week by bypassing the security on the Android version of the app.

“I’ve found a really easy way to bypass the fingerprint/PIN authentication that protects all of your 2FA codes,” the researcher wrote. “The Android app, produced by LastPass, doesn’t use the same protection that their flagship app uses (like locking when idle, lock on screen off, etc).”

For its part, LassPass confirmed that its engineering team has now fixed the issue to resolve the workaround.

In a statement, the company confirmed it would also revamp its bug bounty program and support process to identify and resolve critical flaws in a timely manner. In other words, a day – instead of a week – to fix major security concerns.

The company stated:

In addition to strengthening the app, the report highlighted needed improvements to our support process. Because this report did not come through our bug bounty program, proper steps were not taken to escalate and resolve it in a timely manner.

The update is now available for Android users on the Google Play Store. It is highly recommended that Android users download the latest (patched) version of the application.