Almost six months after a developer reported to their customer service that the Authenticator app had a security flaw, LastPass has finally released an update to fix it. The flaw allowed the user to work around the fact that you need a PIN or fingerprint to open the LastPass app and see the list of passwords. But now they say updating the app will ask users to provide the fingerprint or PIN to view the one-time code that will be sent to be able to open the LastPass app.
LastPass emphasized in its press release that the reported workaround would not work if you did not have physical access to the device and the one-time codes are useless if you didn’t have the username and password for the services. But still, the fact that there is a possible workaround is cause for concern, hence the update to the latest version. You would also need to enable the fingerprint/PIN feature so that you have another layer of security.
And because it took six months for this to be resolved, LastPass also assured its users that there will be improvements to their support process. The explanation for the long response time was that it did not go through the bug bounty program but through their customer support. But proper steps were not taken to escalate it and resolve it in a timely manner.
They also took this time remind users to observe “good cyber hygiene” like not clicking on suspicious links, not re-using the master password, using strong, unique passwords, etc. Let’s hope this update to the Authenticator app will solve this flaw.
SOURCE: LastPass
