Cyber Attack steals passwords
LastPass: 'No user action is required' for the fix to work Reuters

LastPass, a popular password manager, has confirmed a bug existed in its software that could let attackers "bypass" its two-factor authentication – a system used to add an extra layer of security that protects users even if their credentials are compromised.

Martin Vigo, a researcher at Salesforce, disclosed the issue via the LastPass bug bounty programme and revealed methods that could allow a hacker to circumvent Google Authenticator – mobile software that generates authentication codes for applications including password managers.

For the two-factor system to work effectively, users would have to enter this code into LastPass before entry in their accounts would be granted.

In a blog post this week (20 April), Vigo said the problem was the firm used a user's password hash to then make a scannable QR code needed to set up 2FA on a device.

"LastPass is storing the 2FA secret [code] under a URL that can be derived from your password," Vigo said. "This literally beats the entire purpose of 2FA which is a layer of security to prevent attackers already in possession of the password from logging in."

"To put it in perspective, imagine that you have a safe in your house were you keep your most valuable belongings," the researcher continued, adding: "Do you think it is a good idea to have the same lock for the door and the safe? Should the door key open the safe as well?"

LastPass successfully fixed the problem roughly 24 hours after the researcher disclosed the vulnerabilities. Bug bounty programmes like those used by LastPass are increasingly used to reward security experts for responsibly telling them about critical software issues.

"Our team recently investigated and resolved a server-side issue affecting Google Authenticator when enabled in LastPass," the company said in a statement on 20 April. "We worked closely with Martin to develop a fix and verify the solution was comprehensive. No user action is required."

It added: "To exploit this issue an attacker would have needed to take several steps to bypass Google Authenticator. First, the attacker would have had to lure a user to a nefarious website. Second, the user would have to be logged in to LastPass at the time of visiting the malicious site."

Despite the problems, the firm has stressed two-factor authentication "remains the most effective way" to protect an account". Users should continue to enable the feature on online servives including banks, email accounts and social media platforms, it stressed.

Additionally, LastPass recommended a number of best practices for its users:

  • Beware of phishing attacks. Do not click on links from people you don't know.
  • Never reuse your LastPass master password and never disclose it to anyone, including us.
  • Use different, unique passwords for every online account.
  • Keep a clean machine by running antivirus and keeping your software up-to-date.

This is not the first LastPass security issue this year. Back in late March, Google Project Zero researcher Tavis Ormandy found a series of security bugs in its Chrome browser extension that – if exploited – could put user credentials at risk to hackers and cybercriminals.