The reason why you would want an app like Authenticator, developed by popular password manager LastPass, is that you are concerned with protecting the apps installed on your device and the services you access through it. But what if that app can actually be a gateway for someone to hack into your passwords? That is a major cause for concern. A programmer discovered this security flaw in Authenticator, and now we are waiting for LastPass to do something about it.
Dylan, a programmer who published an article on Hacker Noon, said that he was able to see a flaw that would give access to your 2FA codes, without having to even root your device or ask for fingerprint or PIN authentication. You can just use an app like Activity Launcher or QuickShortcutMaker to access individual activities. You can look for access to “com.lastpass.authenticator.activities.SetingsActivity” and then press the back arrow button and you’ll be led to the Main activity where all your 2FA codes are visible.
According to Dylan, he reported this to LastPass last June and a support representative acknowledged this workaround. But they did not give him an estimate as to when this can be fixed. Fast forward to six months later, and there’s still no update to fix it. In response to his recent post, LastPass tweeted that they are “evaluating it thoroughly” but those who use “strong passwords” should not be worried.
We’re aware of the concern raised with the Authenticator app and are evaluating it thoroughly.
Users who continue to use strong passwords do not need to take any action at this time.— LastPass Support (@LastPassHelp) December 27, 2017
While we understand that developing and updating apps, especially the security part of it, takes time, 6 months of no solution to a security flaw is probably too much. Hopefully, LastPass will be able to solve this issue before nefarious hackers can find a way to take advantage of this.
VIA: Hacker Noon