LastPass Analysis Code Raises Questions About Potential Security Issues


LastPass recently caused quite a stir by announcing upcoming changes to its pricing model that will effectively weaken the free tier, and now the company has more bad news. According to a report published by German cybersecurity researcher Mike Kuketz (via The Register), the password manager uses seven third-party trackers that introduce potential security issues, prompting him to recommend LastPass users to switch. to the competition.

Kuketz used Exodus Privacy to identify which third-party trackers the app uses, and managed to find the following seven:

  • AppsFlyer
  • Google analytics
  • Google CrashLytics
  • Google Firebase Analytics
  • Google Tag Manager
  • MixPanel
  • Segment

To see what exactly these third-party tools do, Kuketz analyzed the network traffic originating from LastPass version 4.11.18.6150. While it makes sense to collect basic device data (phone, Android version, screen size, etc.) and crash data to properly troubleshoot issues that users may encounter, the app also broadcasts when new entries are created in the application, what level of LastPass is active (Premium, Family, Premium Trial, etc.), and even the Google advertising ID. All of these are metadata, so none of your passwords or other credentials are exposed that way.

$os“:“Android“
$os_version“:“10″
$manufacturer“:“Xiaomi“
$model“:“Mi A1″
$google_play_services“:“available“
$screen_height“:1920
$screen_width“:1080″
$app_version“:“4.11.18.6150″
$has_telephone“:true
$wifi“:true
$bluetooth_version“:“ble“
„token“:“bdbd82f1991ac775d539539aa2b49833″
„referrer“:“utm_source=google-play&utm_medium=organic“
„utm_source“:“google-play“
$device_id“:“147666a8-772a-4221-b040-52ec4be06d88″
„Account Type“:“Free“
„Family User Type“:“None“
„Biometrics Enabled“:“false
„Android Autofill Enabled“:“false

A LastPass spokesperson told The Register: “No personally identifiable user data or vault activity can be passed through these trackers. These trackers collect limited aggregated statistical data on how you use LastPass, which is used to help us track improve and optimize the product “. The spokesperson also mentioned that it is possible to opt out of receiving analysis in LastPass privacy settings.

We assume that the large number of trackers could be due to the acquisition of LogMeIn in 2015. The LastPass team may have added the analytics tools preferred by their new owner inadvertently giving up their own preferred tools. It’s hard to imagine nefarious intentions, although having so many trackers in a critical security environment is anything but good practice, and it’s definitely an oversight that LastPass doesn’t mention trackers other than Google and Adobe in its privacy policy.

In most applications, trackers are not a big security problem, but the more third-party tools a security-critical application needs to use, such as a password manager, the more difficult it is to make sure that everyone behaves and does not behave accidentally. access data not intended for them. And it’s not that LastPass has never experienced a violation.

For what it’s worth, the competition isn’t completely track-free either, although at least most only use a reasonable amount. Bitwarden uses HockeyApp for crash reporting and Google Firebase for live sync push notifications (the F-Droid version doesn’t have those), while Microsoft Authenticator and Dashlane have four third-party trackers. MYKI has two and Enpass only has one. 1Password and KeePassDX are completely free of trackers.

LastPass password manager

Source link