A security researcher is recommending against the LastPass password manager after detailing seven trackers found in the Android app, The register reports. Although there is no suggestion that the scanners, which were analyzed by researcher Mike Kuketz, are transferring a user’s real passwords or usernames, Kuketz says that their presence is a bad practice for a critical security application that handles that confidential information.
Responding to the report, a spokesperson for LastPass said the company gathers limited data “on how LastPass is used” to help it “improve and optimize the product”. It is important to note that LastPass says The register that “no sensitive identifiable user data or vault activity can pass through these trackers” and users can opt out of the analysis in the Privacy section of the Advanced Settings menu.
LastPass trackers include four from Google that handle crash analysis and reporting, as well as one from a company called Segment, which allegedly gathers data for marketing teams. Kuketz analyzed the data being transmitted and found that it included information about the make and model of the smartphone, as well as information about whether a user has biometric security enabled. Even if the data transmitted is not personally identifiable, only the integration of this third party code in the first place presents the potential for security vulnerabilities, according to Kuketz.
“If you really use LastPass, I recommend changing the password manager,” wrote Kuketz (through machine translation). “There are solutions that do not permanently send data to third parties and do not record user behavior.”
LastPass is not the only password manager to include trackers like this, but it seems to have more than many popular competitors. Bitwarden’s free alternative has only two according to Exodus’ privacy, while RoboForm and Dashlane have four, and 1Password has none.
The report comes shortly after the LastPass announcement to severely limit functionality to its free level. Although free users can currently store an unlimited number of passwords on devices without limitation, they will soon have to choose a category of devices to view and manage their passwords – “Mobile” or “Computer” – unless they want to pay for the service . The changes will take effect on March 16.