from Hacker News

LastPass’ Authenticator app is not secure

by codeka on 12/27/17, 4:32 PM with 113 comments

by zupzupper on 12/27/17, 5:56 PM
LastPass produces two apps, the Password Manager and this Authenticator App, which looks like a 2FA competitor to Google Authenticator.
The bug the article is detailing is in the Authenticator application, not the Password Manager application, which wasn't very clear to me on my first read.
by dzhiurgis on 12/27/17, 9:39 PM
I accidentally cought LastPass doctoring their terrible track record of security in wikipedia:
https://news.ycombinator.com/item?id=15756044
This was just over a month ago, and published only here.
by darrmit on 12/27/17, 4:54 PM
I can’t figure out why LastPass is still so popular. Ease of use since it’s completely browser based? They were early to market? I don’t get it.
So many better designed, more secure options out there. KeePass, Bitwarden, or 1Password to name a few.
by ComputerGuru on 12/27/17, 5:15 PM
The code, tech, and mindset behind LastPass is a joke. They started just after the “dark ages” of security but don’t seem to have upgraded their mental model of security since. I’ll share with you the moment I discovered something that made me cancel my schedule for the day, research alternatives, write a LastPass to 1Password converter [0], and cancel my LastPass account and subscription.
Are you ready?
You log in to their support forums and online community with the same password you decrypt your vault with.
[0]: https://neosmart.net/blog/2017/a-free-lastpass-to-1password-...
EDIT:
To answer some of the comments, since understandably not everyone is a security expert:
What happens if LastPass’s web forum is compromised and all their additional security counts for nothing?
Even if not: you have no problem with people being conditioned to enter the password securing all their passwords repeatedly into random pages for random content not related in any way, shape, or form to their vault in a web browser?
Containment is the name of the game. It’s hard enough making one app secure enough to enter your password into. Then extending that with an SSO, relying on The security of none other than notoriously crappy phpBB, vulnerable to upstream code injections, XSS, phishing attacks, and god knows what else, and you still think you can trust them to keep your master password secure?
LastPass is such a juicy target and this is such an easy attack vector that I can virtually guarantee at some point phpBB - or, more accurately, their abuse of it - will be a massive liability and the source of a huge catastrophe for them, if it hasn’t secretly already.
Of course they know to treat changes to their authentication apps very carefully and code review each and every syllable added or removed (well, I hope so). But do they review upstream patches to the forum software they use? What about the third party template they have installed? Do they hold off on patches after a security bug is discovered in phpBB so they can review the code changes? Do they even upgrade their forums? What about a vulnerability in PHP itself? Do they secure the server hosting their authentication apps in the same manner as the server hosting their forums? Do their web developers undergo the same background checks and scrutiny their core developers undergo? How many sysadmins have access to the website? Do they provide the same access monitoring to people managing an ancillary feature like their forum software?
The list just goes on forever. You’re as secure as the weakest link. All anyone that want to break into LastPass has to do is get some code into phpBB or the random phpBB themes and plugins they use and it’s game over for millions of LP users and billions of credentials worldwide.
See the problem?
by scarhill on 12/27/17, 6:19 PM
As it happens, I switched from Google Authenticator to LastPass Authenticator a few days ago. The app has a feature that allows you to require a PIN or fingerprint in order to use it. That feature is disabled by default. (Note that Google Authenticator has no such feature.) As I understand it, this attack allows someone with access to my unlocked phone to install a activity launcher app and then generate 2FA codes without supplying a PIN or fingerprint. Actually, for my phone they wouldn't need to bother with the launcher app, because I didn't enable the additional fingerprint/PIN feature--it seems to reduce convenience while adding little security.
Still, it's definitely a bug. They should either fix it or remove the feature so people aren't misled into thinking their two-factor codes are secure when they're not.
by ilyagr on 12/27/17, 7:05 PM
I'm very confused about how bad this is, the article seems unclear. Does it allow malicious apps steal the OTA codes? Does it allow malicious apps to steal the keys used to generate the OTA codes? Does it allow a user to see the keys? Is it none of the above?
All I get from the article is that the user might be able to see the OTA codes in a roundabout way. If that's the entire problem, why is it a problem?
by zwerdlds on 12/27/17, 5:12 PM
Well this is disappointing. In the past, LastPass seemed to have been receptive to patching these kinds of things.
But no follow-up via email? Maybe it's time to start looking at other options.
by exabrial on 12/27/17, 5:07 PM
Props for the responsible disclosure timeline
by strictnein on 12/27/17, 5:16 PM
So the moral of the story is don't let people install applications on your Android device? And the bigger moral is: don't hand someone your unlocked Android device and let them play with it for an extended period of time?
by david-cako on 12/27/17, 4:49 PM
Wow, color me surprised. Software developers aren't perfect, and closed source software with less eyes on it tends to be even less perfect.
I will never trust my passwords all being in one place other than my brain.
by mankash666 on 12/27/17, 8:26 PM
The worrying bit is LastPass' inaction since July 2017, when they were notified of the issue. For a product whose aim is to secure your credentials, this is a lax attitude to security