Our team recently investigated and resolved a server-side issue affecting Google Authenticator when enabled in LastPass. Martin Vigo, a security researcher at Salesforce who responsibly disclosed the issue via our bug bounty program, revealed a set of circumstances that could allow an attacker to bypass Google Authenticator.
We worked closely with Martin to develop a fix and verify the solution was comprehensive, which Martin has since shared on his blog. We have resolved these occurrences, and no user action is required.
To exploit this issue an attacker would have needed to take several steps to bypass Google Authenticator. First, the attacker would have had to lure a user to a nefarious website. Second, the user would have to be logged in to LastPass at the time of visiting the malicious site. This combination of factors decreases the likelihood that a user might be impacted.
We know the LastPass community is very security-savvy, but as a reminder LastPass continues to recommend the following general best practices for online security:
- Beware of phishing attacks. Do not click on links from people you don’t know, or that seem out of character from your trusted contacts and companies.
- Never reuse your LastPass master password and never disclose it to anyone, including us.
- Use different, unique passwords for every online account.
- Two-factor authentication remains the most effective way to protect your account. Always enable 2FA for LastPass and other services like your bank, email, Twitter, Facebook, etc.
- Keep a clean machine by running antivirus and keeping your software up-to-date.
As always, we welcome these contributions from white-hat security researchers, and incentivize participation in our bug bounty program (https://bugcrowd.com/lastpass) to ensure LastPass delivers a secure service for our community.