LastPass, 7 trackers found: here's how to inhibit them

LastPass, 7 trackers found: here's how to inhibit them

LastPass, 7 trackers found

The report by a group of researchers sheds a gloomy light around an important and popular app like LastPass, which is useful for managing your passwords and ensuring maximum security. The recorded problem would be related to as many as seven trackers found in the app code, something that is not seen in the slightest sign among the rival apps.

Those hidden LastPass trackers

Although it is not clear exactly what the usefulness of the codes in question could be, the list (here the report) certifies their presence:

AppFlyer Google Analytics Google CrashLytics Google Firebase Analytics Google Tag Manager MixPanel Segment Simple useful tools monetization of the free LastPass service? Perhaps, but according to the researchers, these are still activities to pay attention to since trackers of this type could potentially create security problems that, applied to an app of this type, could explode with danger. Furthermore, any tracking can be useful to outline the user's profile, in all probability for purposes related to advertising.

LastPass has in the meantime explained to The Register that no personal identification of users is required and that the privacy is clearly guaranteed at every level. It is also possible to exclude trackers with a simple opt-out through the app settings (Account Settings> Show Advanced Settings> Privacy). Good to know, so that everyone can really make their choice with maximum awareness.

Source: The Register




Security researcher recommends against LastPass after detailing 7 trackers

graphical user interface, application © Image: LastPass

A security researcher is recommending against LastPass password manager after detailing seven trackers found in the Android app, The Register reports. Although there is no suggestion that the trackers, which were analyzed by researcher Mike Kuketz, are transferring a user’s actual passwords or usernames, Kuketz says their presence is bad practice for a security-critical app handling such sensitive information.


CONSTELLATION BRANDS, INC.


Responding to the report, a spokesperson from LastPass says the company gathers limited data “about how LastPass is used” to help it “improve and optimize the product.” Importantly, LastPass tells The Register that “no sensitive personally identifiable user data or vault activity could be passed through these trackers,” and users can opt out of the analytics in the Privacy section of the Advanced Settings menu.


Users can opt out in the advanced settings menu


LastPass’s trackers include four from Google which handle analytics and crash reporting, as well as one from a company called Segment, which reportedly gathers data for marketing teams. Kuketz analyzed the data being transmitted and found it included information about the smartphone’s make and model, as well as information about whether a user has biometric security enabled. Even if the data transmitted isn’t personally identifiable, just integrating this third-party code in the first place introduces the potential for security vulnerabilities, according to Kuketz.


“If you actually use LastPass, I recommend changing the password manager,” wrote Kuketz (via machine translation). “There are solutions that do not permanently send data to third parties and record user behavior.”


LastPass isn’t the only password manager to include trackers like this, but it appears to have more than many popular competitors. Free alternative Bitwarden has just two according to Exodus Privacy, while RoboForm and Dashlane have four, and 1Password has none.


The report comes on the heels of LastPass’s announcement to severely limit functionality in its free tier. While free users are currently able to store an unlimited number of passwords across devices without limitation, soon they’ll have to pick one category of devices to view and manage their passwords on — “Mobile” or “Computer” — unless they want to pay for the service. The changes will come into effect on March 16th.