LastPass recently caused a stir by announcing upcoming changes to its pricing model that will effectively surpass the free tier, and now the company is in for some more bad news. According to a report published by German cybersecurity researcher Mike Kuketz (via The Register), the password manager is using seven third-party trackers that introduce potential security vulnerabilities, leading him to recommend LastPass users to switch to competitors.
Kuketz used Exodus Privacy to identify which third-party trackers the app uses, and he managed to find the following seven:
- AppsFlyer
- Google Analytics
- Google CrashLytics
- Google Firebase Analytics
- Google Tag Manager
- MixPanel
- Segment
To check what exactly these third-party tools do, Kuketz analyzed network traffic coming from LastPass version 4.11.18.6150. While it makes sense to collect basic device data (phone, Android version, screen size, etc.) and crash data to troubleshoot problems users may encounter, when new entries are created in the app, the app will also send which LastPass layer is active (Premium, Family, Premium Trial, etc.), and even the Google ad ID. These are all metadata, so none of your passwords or other credentials will ever be displayed that way.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A LastPass spokesperson told The Register, “No sensitive personally identifiable user information or vault activity can be passed through these trackers. These trackers collect limited aggregated statistics about how you use LastPass, which is used to help us improve and improve the product. optimize. ” The spokesperson also said it is possible to opt out of analysis in the LastPass Privacy settings.
We believe the high number of trackers may be due to the 2015 acquisition of LogMeIn. The LastPass team may have added analytics tools that are preferred by the new owner, without specifying their own preference tools. It’s hard to imagine nefarious intentions, although having so many trackers in a critical security environment is anything but good practice, and it’s definitely a mistake that LastPass doesn’t mention trackers other than Google and Adobe in its privacy policy.
In most apps, trackers aren’t really a security issue, but the more third-party tools a security-critical app like a password manager has to jog, the harder it is to make sure they are all behaving and not accidentally access data that isn’t for them are intended. And it’s not like LastPass never experienced a breach.
For what it’s worth, the competition isn’t entirely free of trackers either, although most only use a reasonable amount. Bitwarden uses the HockeyApp for crash reporting and Google Firebase for live sync push notifications (the F-Droid version is free of that), while Microsoft Authenticator and Dashlane have four third-party trackers. MYKI has two and Enpass only has one. 1Password and KeePassDX are completely free of trackers.
