Possible security issue with Authenticatior and AutoFill.

What do you love about LastPass? What do you hate about it? Tell us why you like it, why you don't, and why.

Moderators: admin, anatoly_LP, chantieLP, robyn, JoeSiegrist

Possible security issue with Authenticatior and AutoFill.

Postby jkoenig » Thu Nov 07, 2019 12:44 am

Not sure where else to post this so I'll post it here.

Background: I use Firefox with LastPass, uBlock Origin, Privacy Badger, DuckDuckGo Privacy Essentials, Decentraleyes, and HTTPS Everywhere add-ons installed.

Firefox clears all history, cookies, caches, and web data on exit so I must re-login into LastPass every time I open my web browser.

I also use the LastPass Authenticatior so each time I login I have to enter the verification code. I use Face ID, my face gets scanned and it logs me in.

I typically click the LastPass icon on the Firefox add-ons toolbar to login. My username is saved so I'm only prompted to enter my password and after a new tab opens for the Authenticatior verification code.

Issue: Say I navigate to my banks website. I click then LastPass icon and type in my password, a new tab opens and I get redirect to the Authenticatior verification code entry. BUT if i switch back to the tab with my banks website BEFORE I complete the Authenticatior verification my Username and Password have been auto filled by LastPass and I am not actually Logged into LastPass yet.

My info is being auto filled into Username/Password fields before I'm logged into LastPass. I am unsure if this is due to any settings I have on Firefox or my add-ons but I believe that is unlikely.
jkoenig
 
Posts: 1
Joined: Thu Nov 07, 2019 12:16 am

Re: Possible security issue with Authenticatior and AutoFill

Postby jonat » Sun Nov 10, 2019 5:47 pm

See https://support.logmeininc.com/lastpass ... n-lp010125 for an explanation.

What happens here is that LastPass encounters some temporary delay in connecting to the LastPass server, so it then tries the copy of your vault saved on your computer (see https://support.logmeininc.com/lastpass ... r-lp070008) from a previous successful login. It uses this to do the autofill. The request for the 2FA code is to protect against some other actor knowing your master password and trying to log in as you on another device. If the local vault is present, 2FA isn't a barrier.

If you want to disable the local vault copy, you can on most devices. See https://support.logmeininc.com/lastpass ... n-lp010105
jonat
 
Posts: 2202
Joined: Thu Dec 09, 2010 8:42 pm


Return to Feedback

Who is online

Users browsing this forum: No registered users and 11 guests