Even if a phone is found unlocked, LastPass requires that a fingerprint or passcode be entered to gain access to temporary two-factor authentication codes. Following the discovery of a method to bypass LastPass’s prompt for a password or PIN on Android, an update has been released to rectify the vulnerability.
In the latest version of LastPass, a fingerprint or passcode is now required and can no longer be bypassed. The previous workaround to circumvent the prompt required physical access to an unlocked Android device, making it a relatively low-risk vulnerability. The exploit never allowed for time-based, one-time passwords to be generated which would have granted access to linked accounts.
The vulnerability was originally reported in June 2017 and was confirmed by LastPass. Several months passed with no timeline for a fix. According to parent company LogMeIn, Inc., the issue in question was not reported through their bug bounty program and therefore did not receive the attention is should have in a timely manner.
Reforms and changes to bug reporting are being made by LastPass to prevent important vulnerabilities from going unnoticed in the future.
All Android users of LastPass should update to the latest version to avoid any possible compromises. LastPass also emphasizes the importance of never reusing passwords or sharing them with anyone. Two-factor authentication paired with unique, complex passwords remains one of the most effective ways to help prevent unauthorized account access.