LastPass recently made headlines by announcing future changes to its pricing model that will effectively lower the free level, and now the company is looking for more bad news. According to a report published by German cyber security researcher Mike Kuketz (via The Register), the password manager uses seven third-party trackers that introduce potential security issues, asking him to recommend LastPass users to switch to competitors .
Kuketz used Exodus Privacy to determine which third-party trackers use the app, and he managed to find the following seven:
- AppsFlyer
- Google Analytics
- Google CrashLytics
- Google Firebase Analytics
- Google Tag Manager
- Mixing panel
- Segment
To see what exactly these third-party tools do, Kuketz analyzed the network traffic of LastPass version 4.11.18.6150. While it makes sense to collect basic device data (phone, Android version, screen size, etc.) and collide data to properly resolve issues that may hinder users, the app also sends out when new entries are created in the app become, which the LastPass level is active (Premium, Family, Premium Trial, etc.), and even the Google ad ID. All of this information is metadata, and therefore none of your passwords or other persons are exposed in this way.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A LastPass spokesman told The Register: ‘No sensitive personally identifiable user data or safe activity can be passed on by these trackers. These trackers collect limited statistics on how you use LastPass, which are used to help us improve and optimize the product. ‘The spokesperson also mentioned that it is possible to extract analyzes in the LastPass privacy settings.
We assume that the large number of trackers may be due to the acquisition of LogMeIn in 2015. It is possible that the LastPass team added analytics tools that the new owner prefers, without sacrificing its own preferred tools. It’s hard to imagine bad intentions, despite the fact that so many trackers in a critical security environment are anything but good practice, and it’s certainly an oversight that LastPass does not mention trackers other than Google and Adobe in its privacy policies.
In most applications, trackers are not much of a security issue, but the more third-party tools a security-critical app like a password manager has to run, the harder it is to ensure that everyone acts and does not accidentally access data which is not meant for them. And it’s not like LastPass never experienced an offense.
For what it’s worth, the competition is also not completely free of trackers, though most use only a fair amount. Bitwarden uses the HockeyApp for crash reporting and Google Firebase for live sync-push notifications (the F-Droid version is free), while Microsoft Authenticator and Dashlane have four third-party trackers. MYKI has two, and Enpass has only one. 1Password and KeePassDX are completely free of trackers.
