LastPass Security Vulnerability for 2nd Factor Authentication Login

We’ve detected a vulnerability in LastPass which allow autofill of password into web login form right after login and right before 2nd factor authentication login.

This issue is rare and does not affect majority of LastPass users, however  issue could be re-created by our team on Google Chrome running on MacOS when following environment is set:

  1. Make sure LastPass is logged out.
  2. Open a website that you have LastPass to fill up login form automatically.
  3. Login to LastPass and don’t check “Remember Password” (so password expire after closing chrome)
  4. When entering 2nd Factor code, don’t check “Remember” checkbox either (so 2nd factor login expire too. otherwise you need to wait 30 days for it to expire which you will get same vulnerability result)
  5. Upon successful login, you will see LastPass autofilled login form. It is all correct until here right? Yes. next steps is where issue come up.
  6. Completely quit Chrome browser, make sure all processes are closed.
  7. Open Chrome again and open that website (or any other website that have autofill for login form)
  8. Click on LastPass icon and login with your password.
  9. HERE is where problem happen!
  10. You are redirected to 2nd Authentication login form. but if you switch back to the website you just opened, you will see your password is autofilled. Autofilled before you login 2nd Factor Authentication form.

So here is the catch. It will only work on 1st login after a successful full login. If you don’t proceed with 2nd Factor authentication login now and close chrome again. and then re-open chrome and repeat step 7 and 8, it would not auto populate your password into web form.

We’ve reached to LastPass and hoping they react fast regarding this issue.

LastPass replied
I just want to clarify that this is not a bug. This could be because of the Offline Cache. You may read more about here

But… Should not offline cache be secured via 2nd factor authentication too?
And if it is not a bug, why it happen only and only in first login after a successful login, then quitting browser and re-opening it?
If it is expected behaviour, it should always populate login form right after entering login information and before entering 2nd factor code, but now it only auto populate on first try.
Even closing and re-opening browser won’t trigger auto populate anymore.

2 thoughts on “LastPass Security Vulnerability for 2nd Factor Authentication Login”

  1. I also experienced this behaviour over a year ago. I went to report to LastPass but their bug bounty ( states that it is not a vulnerability. Downloading the encrypted LastPass vault requires 2nd factor, but if you already have it downloaded in an offline cache then only the master password is required to decrypt.

Leave a Reply to Chris Stone Cancel reply

Your email address will not be published. Required fields are marked *