A security researcher is recommending against LastPass password manager after detailing seven trackers found in the Android app, The Register reports. Although there is no suggestion that the trackers, which were analyzed by researcher Mike Kuketz, are transferring a user’s actual passwords or usernames, Kuketz says their presence is bad practice for a security-critical app handling such sensitive information.
Responding to the report, a spokesperson from LastPass says the company gathers limited data “about how LastPass is used” to help it “improve and optimize the product.” Importantly, LastPass tells The Register that “no sensitive personally identifiable user data or vault activity could be passed through these trackers,” and users can opt out of the analytics in the Privacy section of the Advanced Settings menu.
LastPass’s trackers include four from Google which handle analytics and crash reporting, as well as one from a company called Segment, which reportedly gathers data for marketing teams. Kuketz analyzed the data being transmitted and found it included information about the smartphone’s make and model, as well as information about whether a user has biometric security enabled. Even if the data transmitted isn’t personally identifiable, just integrating this third-party code in the first place introduces the potential for security vulnerabilities, according to Kuketz.
“If you actually use LastPass, I recommend changing the password manager,” wrote Kuketz (via machine translation). “There are solutions that do not permanently send data to third parties and record user behavior.”
LastPass isn’t the only password manager to include trackers like this, but it appears to have more than many popular competitors. Free alternative Bitwarden has just two according to Exodus Privacy, while RoboForm and Dashlane have four, and 1Password has none.
The report comes on the heels of LastPass’s announcement to severely limit functionality in its free tier. While free users are currently able to store an unlimited number of passwords across devices without limitation, soon they’ll have to pick one category of devices to view and manage their passwords on — “Mobile” or “Computer” — unless they want to pay for the service. The changes will come into effect on March 16th.
