Password managers can be a lifesaver, but they can also be a threat as one security researcher has found.
Password managers are software that allows users to store, generate, and also manage their passwords for both local apps and online services. They can keep the many passwords users have, encrypt them, and make them available in the most convenient of time.
But things can be bad if there are things that aren't supposed to be there.
As reported by security researcher Mike Kuketz, he recommends against using LastPass after he discovered that the password manager's Android app has seven trackers embedded inside it.
Although there is no suggestion that the trackers are transferring users' usernames and passwords, notes, bank accounts, or anything else that is sensitive, Kuketz said the trackers' presence alone is already a bad practice.
The trackers in question, include four from Google (Google Analytics, Google CrashLytics, Google Firebase Analytics, Google Tag Manager), which are meant to provide analytics data and crash reporting. Another one also from Google, called Segment, is meant to gather data for marketing teams.
Then there is AppsFlyer, meant for mobile marketing campaign, and MixPanel, meant to track user interactions.
After analyzing the data being transmitted by the trackers, Kuketz found that it included information about users' smartphones, like their make and model, as well as whether or not their biometric security is enabled.
Even if the data transmitted isn’t personally identifiable, just integrating third third-party trackers and codes in the first place introduce the potential for security vulnerabilities, according to Kuketz.
This is because LastPass is an app meant and designed to store sensitive data. And trackers in such a security-critical app handling such information, is a big no.
What makes things rather sketchy, is that LogMeIn, the company behind LastPass, only names Google Analytics as a third party provider or partner.
"There is no reference to any other trackers. Overall, one gets the impression that the data protection declaration is kept very general and does not provide sufficient information about which third party providers the company behind LastPass (LogMeIn, Inc.) works with. From my point of view, the data protection declaration is incomplete,"
According to Kuketz in a blog post.
"If you actually use LastPass, I recommend changing the password manager. There are solutions that do not permanently send data to third-party providers and record user behavior."
In response to the report, a spokesperson from LogMeIn said that the password manager does gather user data, but very limited.
According to the spokesperson, the data is meant to know “about how LastPass is used,” and to help it “improve and optimize the product.”
Importantly, LogMeIn said LastPass does not collect or send any sensitive personally identifiable user data or vault activity because none "could be passed through these trackers.”
What's more, users can opt out of the analytics in the Privacy section of the Advanced Settings menu.
Further reading: Researchers Found Five Popular Password Managers That Aren't Secure