LastPass recently caused an uproar by announcing forthcoming changes to its pricing model that will effectively nerf the free tier, and now the company is in for some more bad news. According to a report published by German cybersecurity researcher Mike Kuketz (via The Register), the password manager uses seven third-party trackers that introduce potential security issues, prompting him to recommend LastPass users to switch to competitors.

Kuketz used Exodus Privacy to identify which third-party trackers the app uses, and he managed to find the following seven:

  • AppsFlyer
  • Google Analytics
  • Google CrashLytics
  • Google Firebase Analytics
  • Google Tag Manager
  • MixPanel
  • Segment

To check what exactly these third-party tools do, Kuketz analyzed the network traffic originating from LastPass version 4.11.18.6150. While it makes sense to collect basic device data (phone, Android version, screen size, etc.) and crash data to properly troubleshoot issues users might run into, the app also transmits when new entries are created in the app, which LastPass tier is active (Premium, Family, Premium Trial, etc.), and even the Google advertising ID. All of these are metadata, so none of your passwords or other credentials are ever exposed that way. 

        „$os“:“Android“„$os_version“:“10″„$manufacturer“:“Xiaomi“„$model“:“Mi A1″„$google_play_services“:“available“„$screen_height“:1920„$screen_width“:1080″„$app_version“:“4.11.18.6150″„$has_telephone“:true“„$wifi“:true„$bluetooth_version“:“ble“„token“:“bdbd82f1991ac775d539539aa2b49833″„referrer“:“utm_source=google-play&utm_medium=organic“„utm_source“:“google-play“„$device_id“:“147666a8-772a-4221-b040-52ec4be06d88″„Account Type“:“Free“„Family User Type“:“None“„Biometrics Enabled“:“false“„Android Autofill Enabled“:“false“

A LastPass spokesperson told The Register, "No sensitive personally identifiable user data or vault activity could be passed through these trackers. These trackers collect limited aggregated statistical data about how you use LastPass which is used to help us improve and optimize the product." The spokesperson also mentioned it's possible to opt out of analytics in the LastPass Privacy settings.

We assume the high number of trackers could be due to the 2015 acquisition from LogMeIn. It's possible the LastPass team added analytics tools preferred by its new owner without wanting to forgo its own preferred tools. It's hard to imagine nefarious intentions, though having that many trackers in a critical security environment is everything but good practice, and it's definitely an oversight that LastPass doesn't mention trackers other than Google and Adobe in its privacy policy.

In most apps, trackers aren't much of a security issue, but the more third-party tools a security-critical app like a password manager needs to joggle, the harder it is to ensure that all of them behave and don't accidentally access data not meant for them. And it's not like LastPass never experienced a breach.

For what it's worth, the competition isn't completely free of trackers, either, though at least most only use a reasonable amount. Bitwarden uses the HockeyApp for crash reporting and Google Firebase for live sync push notifications (the F-Droid version is free of those) while Microsoft Authenticator and Dashlane have four third-party trackers. MYKI has two, and Enpass has only one. 1Password and KeePassDX are completely free of trackers.

LastPass Password Manager Developer: GoTo Technologies USA, Inc.
Price: Free
3.9
Download

Source: Kuketz Blog

Via: The Register