Multiple activity trackers detected in LastPass and other password managers

Mobile security specialist Mike Kuketz published research in which he recommends users of Android operating system devices stop using LastPass password manager, as he mentions that it contains up to seven online activity trackers.

Developers recognize the presence of crawlers, but mention that users can disable them if they wish.

The researcher mentions that these trackers were detected while making a report for Exodus, a nonprofit association. Kuketz mentions that four of the detected trackers are from Google and were designed for the collection of analytical data and to send reports of failures in the company’s services.

Moreover, the other three trackers detected are AppsFlyer, MixPanel and Segment. Of these three tools segment may be the most popular, as it is dedicated to gathering information for marketing specialists, offering a unified vision and developing detailed user profiles in order to link their actions to specific platforms.

Moreover, LastPass has many free users, which Kuketz believes could affect developers trying to monetize their products: “Typically developers integrate the tracker provider’s code with their apps; the data collected may be used for the creation of user profiles, their interests and recent activities for advertising purposes.”

Even app developers have no way of knowing what data crawlers collect and transmit to third parties. Therefore, proprietary code integration can pose a security risk. Kuketz adds that these elements do not apply to password managers, which are fundamental from a security point of view.

According to Exodus, an organization dedicated to protecting technology users, not all password managers contain trackers. For example, after hard research, this group concluded that there are no tracking tools in apps like 1Password and KeePass. On the other hand, the Bitwarden open source application contains two crawlers: Google Firebase (analysis) and Microsoft Visual Studio (emergency warranty reports). Dashlane has four trackers, but they are still less than the seven trackers detected in LastPass.

Although it is common to find these tools in browsers, extensions and mobile apps, users can enable an additional layer by restricting the capabilities of these tools in their privacy settings. To learn more about information security risks, malware, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) website.