The vulnerability detailed in this research was originally reported to us in 2018 and at that time we implemented changes to our LastPass Android app to mitigate and minimize the risk of the potential attack. While continued efforts from the web and Android communities will also be required, our app requires explicit user approval before filling any unknown apps, and we’ve increased the integrity of our app associations database in order to minimize the risk of any “fake apps” being filled/accepted. Additionally, based on our findings, this type of vulnerability would not only require a significant amount of effort on the side of the attacker but also a significant number of mistakes to be made by a user. Generally speaking, there is always some risk if installing apps from unknown sources, which is why it is recommended to only install apps which are known to be safe from the official Google Play store.
We are constantly evaluating ways to improve the autofill flow to protect our users while still offering a convenient login experience. If the user wants to be in control of the credential filling, this option is available as an extension preference setting and, for Enterprise users, as a policy. Additionally, users are not required to use pageload autofill with LastPass, who can disable autofill by visiting extension and clicking Account Options >Extension Preferences and deselecting the Automatically fill login information box. It is also always in the user’s best interest to enable MFA for all online accounts, including LastPass, since it can protect them further. As always, delivering a secure service for our users remains our top priority and we will continue to work with the security community to respond and fix potential vulnerability reports as quickly as possible.
Glenn Dobson | Community Leader, Social Support