LastPass recently caused a stir by announcing future changes to its pricing model that will effectively cancel the free tier, and now the company is about to receive more bad news. According to a report published by German cybersecurity researcher Mike Kuketz (via The Register), the password manager uses seven third-party trackers that present potential security problems, prompting him to recommend LastPass users to switch to competitors.
Kuketz used Exodus Privacy to identify which third-party trackers the app uses and was able to find the following seven:
- AppsFlyer
- Google Analytics
- Google CrashLytics
- Google Firebase Analytics
- Google Tag Manager
- MixPanel
- Segment
To see what exactly these third-party tools do, Kuketz analyzed network traffic originating from LastPass version 4.11.18.6150. While it makes sense to collect basic device data (phone, Android version, screen size, etc.) and crash data to properly troubleshoot problems that users may encounter, the app also transmits when new entries are created in the app, which is the active LastPass level (Premium, Family, Premium Trial, etc.) and even Google’s advertising ID. All of these are metadata, so none of your passwords or other credentials are exposed in this way.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A spokesperson for LastPass told The Register, “No confidential user data or vault activity can be passed on by these trackers. These trackers collect limited aggregate statistical data about how you use LastPass, which is used to help us improve and optimize the product. ” The spokesman also mentioned that it is possible to cancel the analysis in the LastPass privacy settings.
We assume that the large number of trackers may be due to the acquisition of LogMeIn in 2015. It is possible that the LastPass team has added analytical tools preferred by its new owner without wanting to give up their own preferred tools. It is difficult to imagine harmful intentions, although having so many crawlers in a security-critical environment is anything but good practice, and it is definitely an oversight that LastPass does not mention any crawlers other than Google and Adobe in its privacy policy.
In most applications, trackers are not a major security issue, but the more third-party tools a security-critical application, such as a password manager, needs to work on, the harder it is to ensure that they all behave and not accidentally access data not intended for them. And it’s not like LastPass has never experienced a breach.
For what it’s worth, the competition is not completely free of trackers, although at least most use only a reasonable amount. Bitwarden uses the HockeyApp for crash reports and Google Firebase for live sync push notifications (the F-Droid version is free), while Microsoft Authenticator and Dashlane have four third-party trackers. MYKI has two and Enpass has only one. 1Password and KeePassDX are completely free of trackers.
