[ad_1]
LastPass recently caused an uproar by announcing upcoming changes to its pricing model that will effectively hurt the free tier, and now the company is in for more bad news. According to a report by German cybersecurity researcher Mike Kuketz (via The Register), the password manager uses seven third-party trackers that introduce potential security issues, prompting it to recommend LastPass users to upgrade to competitors.
Kuketz used Exodus Privacy to identify third-party trackers used by the app, and he managed to find the following seven:
- AppsFlyer
- Google analytics
- Google CrashLytics
- Google Firebase Analytics
- Google Tag Manager
- MixPanel
- Segment
To verify exactly what these third-party tools do, Kuketz analyzed the network traffic coming from LastPass version 4.11.18.6150. While it makes sense to collect basic device data (phone, Android version, screen size, etc.) and crash data to properly resolve issues that users may experience, the app Also transmits when new entries are created in the app, what level LastPass is active (Premium, Family, Premium Trial, etc.), and even the Google Advertising ID. All of this is metadata, so none of your passwords or other credentials are ever exposed this way.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A LastPass spokesperson told The Register: “No personally identifiable sensitive user data or vault activity can be transmitted by these trackers. These trackers collect limited aggregate statistical data about how you use LastPass that is used to help us improve and optimize the product. ” The spokesperson also mentioned that it was possible to disable scanning in LastPass’s privacy settings.
We suspect that the high tracker count could be due to the acquisition of LogMeIn in 2015. It’s possible that the LastPass team added some analytics tools that their new owner preferred without wanting to forgo their own favorite tools. It’s hard to imagine nefarious intentions, even though having so many trackers in a critical security environment is anything but good practice, and it’s certainly an oversight that LastPass doesn’t mention non-Google and Adobe trackers in its review. privacy policy.
In most applications, trackers aren’t much of a security issue, but the more a security-critical application like a password manager needs third-party tools, the harder it is to ensure that they all behave and do not accidentally. access data that is not intended for them. And it’s not like LastPass never knew a breach.
For what it’s worth, the competition isn’t completely free from trackers either, although at least most only use a reasonable amount. Bitwarden uses HockeyApp for crash reports and Google Firebase for live sync push notifications (the F-Droid version is free) while Microsoft Authenticator and Dashlane have four third-party trackers. MYKI has two and Enpass has only one. 1Password and KeePassDX are completely free of trackers.
[ad_2]
Source link