A few days back it was revealed by a security researcher in a post on Medium that the LastPass Authenticator app for 2FA key generation wasn't entirely secure. Access to the keys was ostensibly secured by a PIN/fingerprint, but a workaround was found that allows anyone with the ability to launch an activity on the device, including other installed applications, to access those codes. LastPass has fixed this problem in an update today.
The vulnerability was actually pretty simple. Apparently, by merely launching the LastPass Authenticator settings activity (com.lastpass.authenticator.activities.SettingsActivity), you could enter the settings pane for the app without having to provide a PIN or fingerprint. From there, it's a single tap back to access 2FA codes. Since this activity can be launched by any app, physical access to the phone wouldn't even be required for you to be vulnerable.
Launching the settings activity
The developer that found the security problem allegedly tried to contact LastPass over 7 months ago. In that time, although LastPass was able to reproduce the issue, the company did not seem to take any steps to fix the problem. After the company's previous security snafus, that's more than a bit disconcerting.
Once the post detailing the vulnerability was published to Medium—note, with a further two weeks of warning given to the company—it only took 4 days for LastPass to finally come up with a fix. The update released today to Google Play (v184.108.40.2065) should eliminate this problem.
The company responded to this latest vulnerability in a post to its blog, in which LastPass admits that the bug and associated report weren't appropriately escalated, though they claim to have "identified and resolved the procedural issue" which resulted in the oversight. In the meantime, if you haven't already given thought to migrate to a more secure 2FA system, perhaps you should consider it.