A security researcher is recommending against the LastPass password manager after detailing seven trackers found in the Android app, Register reports. Although there is no suggestion that the trackers, which were analyzed by researcher Mike Kuketz, are transferring a user’s real usernames or passwords, Kuketz says their presence is bad practice for a security-critical application handling information. so sensitive.
In response to the report, a LastPass spokesperson says the company collects limited data “on how LastPass is used” to help it “improve and optimize the product.” Importantly, LastPass says Register that “no personally identifiable user data or activity from the vault can pass through these trackers”, and users can opt out of the analysis in the Privacy section of the Advanced Settings menu.
LastPass trackers include four from Google that handle crash reporting and analytics, as well as one from a company called Segment, which reportedly collects data for marketing teams. Kuketz analyzed the data that was being transmitted and found that it included information about the make and model of the smartphone, as well as information about whether a user has biometric security enabled. Even if the transmitted data is not personally identifiable, the simple integration of this third-party code in the first place introduces the potential for security vulnerabilities, according to Kuketz.
“If you really use LastPass, I highly recommend changing the password manager,” wrote Kuketz (via machine translation). “There are solutions that do not send data permanently to third parties and record user behavior.”
LastPass isn’t the only password manager to include trackers like this, but it seems to have more than many popular competitors. The free Bitwarden alternative has only two according to Exodus Privacy, while RoboForm and Dashlane have four, and 1Password has none.
The report comes on the heels of LastPass’s announcement to severely limit functionality at its free tier. While free users can currently store an unlimited number of passwords on all devices without limitation, they will soon have to choose a category of devices to view and manage their passwords on: “Mobile” or “Computer”, unless they want to pay. for the service. The changes will take effect on March 16.