Here’s a case of a tech company that ignored a vulnerability in its authentication app clearly pointed out by an outside programmer for over seven months.
LastPass has finally fixed the vulnerability and has, in a blog post, admitted that it had ignored the complaint.
The vulnerability under discussion specifically involves LastPass Authenticator, an app that offers secure password verification for users.
The Vulnerability Explained
The issue with the Authenticator app is that when the Settings Activity option is clicked, one could directly access the 2FA codes without having to provide any PIN or fingerprint authentication.
The vulnerability is further accentuated when you consider that you can have access to a phone, or any app on it can be tampered without physically touching the phone.
The requirement for the PIN/fingerprint was being circumvented in this process. This is precisely what LastPass has corrected now.
Vulnerability Could Have Been Fixed Earlier
Perhaps, the most mysterious aspect in this story is the reason LastPass failed to take any action for such a long period of time after the company was alerted of the vulnerability.
To be fair, they did issue a warning to users that they are working on fixing the vulnerability and that users should avoid using the app until they fix the bug.
In reality, the company waited for months to take action.
It was only after the programmer who discovered the vulnerability published a Medium post that the company suddenly woke up to the issue and fixed the bug within a couple of weeks.
Solution and Advice
LastPass did fix the vulnerability by issuing a patch and advising users to update the app on their respective phones.
After having released the fix, the company published a blog post on the subject.
In it, they informed that the Authenticator app would receive an update and that users can download and resume using the password manager after installing the new update.
They have gone on to explain that users must provide the PIN code or use the fingerprint sensor to verify their ID before they’re given access to the one-time code.
The codes will have no value on a standalone basis and will have to be used with the username and password.
The blog post also provided a few points of advice to users. One of these is to avoid reusing the master password that they would have used on the password manager app earlier.
Another recommendation is to change to a stronger password and also institute a two-stage authentication system to minimize the chances of a hack.
The post concludes with LastPass assuring users that it will continue to advance its bug bounty program so that any vulnerability detected in their programs can be reported and fixed quickly.
As mentioned above, the company has indeed acknowledged that they erred in not escalating the disclosure they received from the programmer in the first place.
The Authenticator password verification app should be safer to use now.