Page 1 of 1

Possible security issue with Authenticatior and AutoFill.

PostPosted: Thu Nov 07, 2019 12:44 am
by jkoenig
Not sure where else to post this so I'll post it here.

Background: I use Firefox with LastPass, uBlock Origin, Privacy Badger, DuckDuckGo Privacy Essentials, Decentraleyes, and HTTPS Everywhere add-ons installed.

Firefox clears all history, cookies, caches, and web data on exit so I must re-login into LastPass every time I open my web browser.

I also use the LastPass Authenticatior so each time I login I have to enter the verification code. I use Face ID, my face gets scanned and it logs me in.

I typically click the LastPass icon on the Firefox add-ons toolbar to login. My username is saved so I'm only prompted to enter my password and after a new tab opens for the Authenticatior verification code.

Issue: Say I navigate to my banks website. I click then LastPass icon and type in my password, a new tab opens and I get redirect to the Authenticatior verification code entry. BUT if i switch back to the tab with my banks website BEFORE I complete the Authenticatior verification my Username and Password have been auto filled by LastPass and I am not actually Logged into LastPass yet.

My info is being auto filled into Username/Password fields before I'm logged into LastPass. I am unsure if this is due to any settings I have on Firefox or my add-ons but I believe that is unlikely.

Re: Possible security issue with Authenticatior and AutoFill

PostPosted: Sun Nov 10, 2019 5:47 pm
by jonat
See ... n-lp010125 for an explanation.

What happens here is that LastPass encounters some temporary delay in connecting to the LastPass server, so it then tries the copy of your vault saved on your computer (see ... r-lp070008) from a previous successful login. It uses this to do the autofill. The request for the 2FA code is to protect against some other actor knowing your master password and trying to log in as you on another device. If the local vault is present, 2FA isn't a barrier.

If you want to disable the local vault copy, you can on most devices. See ... n-lp010105