For anyone using LastPass, I discovered a major vulnerability with their Android app in April that would allow anyone with access to your phone to gain full access to your LastPass vault without verifying the credentials, even if the app is set to automatically lock after a certain time. I tried to report this to LastPass as responsibly as I could, doing so privately and giving them the standard 90 days to fix it. That time has come and gone, and they don't seem very enthusiastic about fixing this, so it's time to take this public. The following is an excerpt from the video description that cuts to the chase on what's going on and how to work around it.
As I mention in the main video description, I'm not sure how wide spread this issue is. I'm only one guy, and could only test the phones I had at my disposal. To have others test it would risk it becoming known to those looking to exploit it.
https://youtu.be/SWBkKYH3vZY
The vulnerability is centered around using the quick settings tile option to use the app, and the app auto-lock feature. The video starts with a short explanation and demonstration of the bug in question. Note the entire screen blacks out at 2:05 when discussing my interaction with my banking app. It seems that app is set to prevent itself from being recorded (I didn't know this at the time), but you can still see the LastPass auto-fill popups affected by the bug. I then left the screen recorder running for approx. 45 minutes while the phone was left mostly idle and never interacted with LastPass or anything requiring a login. At 50:30 into the video, I come back and again demonstrate that the bug is present well past the 1 minute timeout. Next, I go into the LastPass app to show the lockout settings were turned on during the entire recording. I end by setting the time out to "always," which has functioned properly so far, and use the quick settings tile again while on the Flagstar web page to show the expected result of asking for biometrics in the auto-fill popup.
The good news is that this vulnerability is easily stopped by setting the auto-lock to always, or fully logging out of the app. If you have a secure lock screen setup on your phone, that can also help mitigate the risk.
As I mention in the main video description, I'm not sure how wide spread this issue is. I'm only one guy, and could only test the phones I had at my disposal. To have others test it would risk it becoming known to those looking to exploit it.
https://youtu.be/SWBkKYH3vZY
Last edited: