I was assisting a friend with some scenarios to see if it would be possible for her incoming employee to be able to change passwords (they will be running social media accounts)...
I have a free user account, she has a premium, so she shared the account with me and it even specifically said when she went to share it with me 'This user cannot view or change the password for this item'. However, once I logged in to the account (it was Twitter we tested on and I logged in via the Twitter app on my Android as well as did the same thing on my PC using Chrome), I was able to go into the security settings for the account, go to password, and by using the autofill for LastPass, fill the password options and change the account password. She even received the email from Twitter saying that the password was changed. She then tried to use the auto-change feature within her LastPass account to reclaim it, but Twitter wouldn't recognize the auto-change password that was assigned....
Has anyone else ran into this issue? If so, what were your solutions? If not, any recommendations?
Since you changed the Twitter password you will need to provide her with the new password so she can update her LastPass entry. She will need to look at Twitter's account security options like enabling 2FA for any changes and then link it to her phone.
Thank you for the feedback, but we did that. The problem lies in that once I got into the account, I was able to go in and actually change it. Isn't that supposed to not be possible? The account was shared with me in my shared vault. We are trying to make sure that once an account is shared with the employee they cannot go and change any password.
Once a password has been shared with a user and logged in to the account, changing the password to that account is controlled through the site itself (in this case, through Twitter.) You would want to see if Twitter has additional security options to limit the ability to change the account password, such as requiring multi-factor authentication in order to confirm a password change, as this is outside of LastPass' control.