Password manager called LastPass has confirmed the existence of a flaw in its system. Apparently, a major flaw was discovered, and it could potentially allow hackers to break through even the biggest security measures, including two-factor authentication system. This system was known to be a popular way of adding an extra layer of protection, but, as it turns out, even this security measure can be bypassed.
One of the researchers from Salesforce, Martin Vigo, has unveiled the methods that can be used to bypass Google Authenticator, which is a software for mobile phones that’s used for generating codes for the two-factor authentication method. The problem was disclosed via the bug bounty programme.
The two-factor system works by sending a temporary code, a sort of key, to the user’s phone. After receiving it, the user has a short period of time to enter the code, and if they fail, the code changes and the old one isn’t valid anymore. Only by entering the currently valid code can the user get access to their account.
Vigo recently released a blog post in which he said “LastPass is storing the 2FA secret [code] under an URL that can be derived from your password.This literally beats the entire purpose of 2FA which is a layer of security to prevent attackers already in possession of the password from logging in.” He then continued to compare this with having a safe in your room but making the same key open both, the room and the safe. In other words, it makes no point to having such system.
The issue was fixed in about 24 hours since it was published. This proved that having bug bounty programmes really does benefit the companies like this, since every hole found in their system and security can be filled, and the bug hunters are highly motivated to search for them as well since the payment awaits everyone with any relevant information concerning the flaws in security.
The company admitted the flaw in their official statement and added that they’ve been working with Martin to create a fix for the problem. No user action will be necessary, and the problem has already been resolved.
They’ve even described the steps that potential hacker would have had to take in order to breach the security, and those included luring a user to a nefarious site while they’re logged into LastPass.
Even though there was a major flaw in the system, the two-factor authentication is still the most effective way of protection, and the company confirms this as well. They also encourage users to use this feature wherever they can.
They’ve also recommended several practices for their users, that include watching out for phishing attacks, never giving away their LastPass master password, using different and also unique passwords for every account, as well as keeping an eye on viruses and other potential threats. Updating software regularly is also something that every user should do.
LastPass has already had security issues this year, most notable one being discovered in late March by Tavis Ormandy. This only shows that the flaws are being hunted down, and with each one found, the system gets better and safer to use.