
LastPass’ Authenticator app is not secure - codeka
https://medium.com/@dylan.m/lastpass-authenticator-app-is-not-secure-77b9743c3007
======
zupzupper
LastPass produces two apps, the Password Manager and this Authenticator App,
which looks like a 2FA competitor to Google Authenticator.

The bug the article is detailing is in the Authenticator application, not the
Password Manager application, which wasn't very clear to me on my first read.

~~~
banachtarski
Now I'm confused. It says it in the title? Where might the confusion stem
from?

~~~
scarhill
If people don't know that LastPass has a 2FA app, they might think LastPass
Authenticator is the password manager app, and is affected by this bug. As a
matter of fact, a number of commenters seem to think exactly that.

~~~
banachtarski
Right but I guess to me "password management" and "authentication" are two
entirely separate concepts (i.e. authorization vs authentication being
separate English words).

I can authorize someone to do something. I authenticate that a person is who
he or she claims to be.

~~~
Belphemur
The combo username password authenticate the person as much as it authorize
them to access the service.

Different meaning but connected nonetheless.

------
dzhiurgis
I accidentally cought LastPass doctoring their terrible track record of
security in wikipedia:

[https://news.ycombinator.com/item?id=15756044](https://news.ycombinator.com/item?id=15756044)

This was just over a month ago, and published only here.

~~~
slumberlust
I looked at your post, are you referencing the removal of the entire
vulnerabilities section on the grounds that it was promoting Tavis?

------
darrmit
I can’t figure out why LastPass is still so popular. Ease of use since it’s
completely browser based? They were early to market? I don’t get it.

So many better designed, more secure options out there. KeePass, Bitwarden, or
1Password to name a few.

~~~
yegle
The ability to fill password in Android app. The last time I checked there's
no competitors doing this.

I'm hoping the Autofill API in Android Oreo can bring more competition.

~~~
beckler
1password registers a specific keyboard... but I'm not a big fan of that
method. It's a terrible keyboard tbh.

~~~
yegle
I was actually surprised that 1password never implemented in-app password fill
using accessibility API.

------
scarhill
As it happens, I switched from Google Authenticator to LastPass Authenticator
a few days ago. The app has a feature that allows you to require a PIN or
fingerprint in order to use it. That feature is disabled by default. (Note
that Google Authenticator has no such feature.) As I understand it, this
attack allows someone with access to my unlocked phone to install a activity
launcher app and then generate 2FA codes without supplying a PIN or
fingerprint. Actually, for my phone they wouldn't need to bother with the
launcher app, because I didn't enable the additional fingerprint/PIN feature--
it seems to reduce convenience while adding little security.

Still, it's definitely a bug. They should either fix it or remove the feature
so people aren't misled into thinking their two-factor codes are secure when
they're not.

~~~
chocolatkey
LineageOS users can enable Privacy Guard to protect google authenticator,
which requires device credentials (pattern, finger etc.) to start app. Also
don't put it on your homescreen

------
ComputerGuru
The code, tech, and mindset behind LastPass is a joke. They started just after
the “dark ages” of security but don’t seem to have upgraded their mental model
of security since. I’ll share with you the moment I discovered something that
made me cancel my schedule for the day, research alternatives, write a
LastPass to 1Password converter [0], and cancel my LastPass account and
subscription.

Are you ready?

You log in to their support forums and online community with the same password
you decrypt your vault with.

[0]: [https://neosmart.net/blog/2017/a-free-lastpass-
to-1password-...](https://neosmart.net/blog/2017/a-free-lastpass-to-1password-
conversion-utility/)

EDIT:

To answer some of the comments, since understandably not everyone is a
security expert:

What happens if LastPass’s web forum is compromised and all their additional
security counts for nothing?

Even if not: you have no problem with people being conditioned to enter the
password securing all their passwords repeatedly into random pages for random
content not related in any way, shape, or form to their vault in a web
browser?

Containment is the name of the game. It’s hard enough making one app secure
enough to enter your password into. Then extending that with an SSO, relying
on The security of none other than notoriously crappy phpBB, vulnerable to
upstream code injections, XSS, phishing attacks, and god knows what else, and
you still think you can trust them to keep your master password secure?

LastPass is such a juicy target and this is such an easy attack vector that I
can virtually guarantee at some point phpBB - or, more accurately, their abuse
of it - will be a massive liability and the source of a huge catastrophe for
them, if it hasn’t secretly already.

Of course they know to treat changes to their authentication apps very
carefully and code review each and every syllable added or removed (well, I
hope so). But do they review upstream patches to the forum software they use?
What about the third party template they have installed? Do they hold off on
patches after a security bug is discovered in phpBB so they can review the
code changes? Do they even upgrade their forums? What about a vulnerability in
PHP itself? Do they secure the server hosting their authentication apps in the
same manner as the server hosting their forums? Do their web developers
undergo the same background checks and scrutiny their core developers undergo?
How many sysadmins have access to the website? Do they provide the same access
monitoring to people managing an ancillary feature like their forum software?

The list just goes on forever. You’re as secure as the weakest link. All
anyone that want to break into LastPass has to do is get some code into phpBB
or the random phpBB themes and plugins they use and it’s game over for
millions of LP users and billions of credentials worldwide.

See the problem?

~~~
BearGoesChirp
Electronic password managers never made sense to me. While you can do more to
secure a single target, it is a more valuable target and one mistake costs you
all your passwords. For me a physical password journal is best. While it does
make you vulnerable to physical attackers, the cost invest to target someone
physically is so much higher that if I have to deal with that threat level I'm
already a goner. Just have to hide it from the kids.

~~~
jXCw1N0jtH3
My approach for anything remotely sensitive, or that could be used to gain
access to other accounts, is to generate a LastPass password and to memorize a
handful of short "salts" that I add to each sensitive password manually +
using 2FA wherever it's available.

Obviously there's no 100% secure approach, but at least this makes me sleep
better knowing that if LastPass were comprimized, my stored gmail, bank,
paypal, work, etc. passwords wouldn't work.

~~~
Too
Thanks for that tip. I was always worried a lost vault could leak all my
accounts in one go but with this trick I think I'm confident enough to start
using a password manager.

------
ilyagr
I'm very confused about how bad this is, the article seems unclear. Does it
allow malicious apps steal the OTA codes? Does it allow malicious apps to
steal the keys used to generate the OTA codes? Does it allow a user to see the
keys? Is it none of the above?

All I get from the article is that the user might be able to see the OTA codes
in a roundabout way. If that's the entire problem, why is it a problem?

~~~
willstrafach
It is difficult to understand, but it seems like the app normally has some
sort of PIN protection in order to open it. This is apparently a bypass method
for that protection.

Maybe I am misunderstanding, but it really does not seem like much of a big
deal, as someone would need to have your phone in hand as well as your lock
screen passcode.

The title seems pretty dishonest, if my interpretation of this issue is
correct.

------
mankash666
The worrying bit is LastPass' inaction since July 2017, when they were
notified of the issue. For a product whose aim is to secure your credentials,
this is a lax attitude to security

------
zwerdlds
Well this is disappointing. In the past, LastPass seemed to have been
receptive to patching these kinds of things.

But no follow-up via email? Maybe it's time to start looking at other options.

------
exabrial
Props for the responsible disclosure timeline

------
strictnein
So the moral of the story is don't let people install applications on your
Android device? And the bigger moral is: don't hand someone your unlocked
Android device and let them play with it for an extended period of time?

~~~
willstrafach
You are correct. Not sure why you were downvoted.

------
david-cako
Wow, color me surprised. Software developers aren't perfect, and closed source
software with less eyes on it tends to be even less perfect.

I will never trust my passwords all being in one place other than my brain.

~~~
BoorishBears
You can't keep varied, secure passwords in your head unless you barely use any
services.

~~~
alkonaut
Most people don’t use many services where security is important. It’s not
uncommon to have several hundred accounts with passwords, but I have maybe 10
that I really worry about being hacked/lost. For all the crap sites I can just
use $singlepassword+$servicename as password. For the few sensitive ones I use
strong passwords and 2FA. I do use a manager to keep those strong passwords -
but even though I have it, I can’t be bothered to use stronb passwords for all
those forums, web shops etc.

Is my solution secure? No. Using a bad password for hundreds of sites is
definitely not secure - but the quality of a password only needs to be
proportional to the sensitivity of what it protects.

~~~
BoorishBears
When I started using a password manager I did something similar, but I told
myself every site which used the "insecure" password was linked. So I'd ask
myself "If someone hacked the least consequential site I've used this password
on, they'd also have hacked this site, do I care?"

It was very rare that the extra 30 seconds to add a new entry password manager
wasn't justified after asking myself that question.

I think it all comes down to ease. Yes, some secure passwords is better than
none, but it's just _soooo easy_ I'd just say go with the PM

