[PSA] LastPass vault access vulnerability discovered

[Mooncatt]

For anyone using LastPass, I discovered a major vulnerability with their Android app in April that would allow anyone with access to your phone to gain full access to your LastPass vault without verifying the credentials, even if the app is set to automatically lock after a certain time. I tried to report this to LastPass as responsibly as I could, doing so privately and giving them the standard 90 days to fix it. That time has come and gone, and they don't seem very enthusiastic about fixing this, so it's time to take this public. The following is an excerpt from the video description that cuts to the chase on what's going on and how to work around it.

The vulnerability is centered around using the quick settings tile option to use the app, and the app auto-lock feature. The video starts with a short explanation and demonstration of the bug in question. Note the entire screen blacks out at 2:05 when discussing my interaction with my banking app. It seems that app is set to prevent itself from being recorded (I didn't know this at the time), but you can still see the LastPass auto-fill popups affected by the bug. I then left the screen recorder running for approx. 45 minutes while the phone was left mostly idle and never interacted with LastPass or anything requiring a login. At 50:30 into the video, I come back and again demonstrate that the bug is present well past the 1 minute timeout. Next, I go into the LastPass app to show the lockout settings were turned on during the entire recording. I end by setting the time out to "always," which has functioned properly so far, and use the quick settings tile again while on the Flagstar web page to show the expected result of asking for biometrics in the auto-fill popup.

The good news is that this vulnerability is easily stopped by setting the auto-lock to always, or fully logging out of the app. If you have a secure lock screen setup on your phone, that can also help mitigate the risk.

As I mention in the main video description, I'm not sure how wide spread this issue is. I'm only one guy, and could only test the phones I had at my disposal. To have others test it would risk it becoming known to those looking to exploit it.

https://youtu.be/SWBkKYH3vZY

 

[anon(10614692)]

Oh the description where you have to copy/paste the URL to open a new window to find it. It's not that obvious, unfortunately

 

[Mooncatt]

Oh the description where you have to copy/paste the URL to open a new window to find it. It's not that obvious, unfortunately

It doesn't automatically open the video in YouTube for you?

 

[anon(10614692)]

The video opens but not the description you refer to unless you copy/paste the url

 

[Mooncatt]

The video opens but not the description you refer to unless you copy/paste the url

I didn't realize that. I don't share a ton of videos, so this was never an issue before. I reworked my opening post to include the most relevant info to hopefully make it more easily understood, and I'll flag this discussion to all be cleaned up after you've had a chance to see this.

 

[Mooncatt]

I cant reproduce it...

Mind if I ask which phone and Android version?

 

[J Dubbs]

I've never trusted those password managers for that very reason.... putting all your eggs in one basket means one hack or vulnerability and everything's up for grabs. I'd rather manage them separately and only get one thing hacked at a time lol.

 

[anon(10300249)]

I don't understand why some people still use or recommend LastPast. They have been breached 5 times in their history (and now 6 times including this post)! For the password manager company it's a disastrous result and passwords are something you want your maximum security. I switched to Bitwarden long time ago, which is an excellent password manager and which is an open source.

 

[Mooncatt]

I don't understand why some people still use or recommend LastPast. They have been breached 5 times in their history (and now 6 times including this post)! For the password manager company it's a disastrous result and passwords are something you want your maximum security. I switched to Bitwarden long time ago, which is an excellent password manager and which is an open source.

To be fair, none of those prior beaches put customer info at risk, at least not that I'm aware of. On a related note, I would expect any manager service to be under constant attack, so having a breach isn't a big concern for me in and of itself. LastPass has fantastic encryption and I wouldn't be worried even if my data "blob" was stolen.

The current issue, while worrisome, isn't yet a deal breaker for me because of the ability to circumvent the bug causing this problem and my own general mindfulness when it comes to my phone. I may start to look for another manager at some point, and I have held off on recommending LastPass to others for now, but I'm also trying to wait to see how this plays out.

 

[tuckertje01]

Since I'm the only one that can access my phone I'm not very worried. I've been using LastPass for many years, just love it.

 

[overcookedcoffle]

Just when I thought LastPass is safe

 

[Mooncatt]

Just when I thought LastPass is safe

For what it's worth, I'm on the beta version of the app and it last updated about a week ago. I don't think I've seen this bug since, so it's possible it's been patched now. I haven't heard any conformation from LastPass directly, though. I'm on version 4.11.15.5859

 

[J Dubbs]

Criminals will never stop trying to hack data gold mines like last pass, and they're guaranteed to get through occasionally...if you're comfortable with that then I'd say go ahead and use them. I'm not so I'll stick to my old fashioned way... more work but more peace of mind. And you know what they say about putting a price on peace of mind, you can't ;-)

 

[hallux]

Tip - I use Roboform, https://www.roboform.com I have for years and have not yet received an email or notification of a breach of their cloud storage. They're currently running a special that gets you cross-device syncing for $12 a year (50% off), code is FBNEW. This is not a personal referral code, it was posted to their Facebook feed. I'm happy to try answering questions if anyone is considering it, except for questions regarding migration of passwords as I can't help with that.

I believe they wrote a blog post about why they were not as vulnerable as others when another password manager was hacked a few years ago. If I can find it I can post it but here's their page regarding security - https://www.roboform.com/security

 

[hallux]

I've been using LastPass for a bunch of years now, but just installed RoboForm after reading this thread

If you decide to purchase, PM me, I can get you an additional 6 months free when you buy a subscription. I also get 6 months added to my plan when you use my link.

 

[Houston Cyclephones]

Tip - I use Roboform, https://www.roboform.com I have for years and have not yet received an email or notification of a breach of their cloud storage. They're currently running a special that gets you cross-device syncing for $12 a year (50% off), code is FBNEW. This is not a personal referral code, it was posted to their Facebook feed. I'm happy to try answering questions if anyone is considering it, except for questions regarding migration of passwords as I can't help with that.

I believe they wrote a blog post about why they were not as vulnerable as others when another password manager was hacked a few years ago. If I can find it I can post it but here's their page regarding security - https://www.roboform.com/security

What makes RoboForm better than lastpass? Looks like their using the same encryption procedures as everyone else.

I think the reason why Lastpass has had more vulnerabilities than other is because more people use them.

If no one uses Roboform, then there is no incentive to break into their security (ironically, this gives a good reason to use Roboform over lastpass)