LastPass monitors its mobile users more than any other major password manager, says a German security researcher. And these trackers can see a lot of what you do in LastPass.
Mike Kuketz (opens in new tab) blogged last weekend that the current LastPass app for Android includes seven trackers (opens in new tab), as reported by web app privacy analyzer Exodus.
- LastPass Free lets you choose between mobile or desktop – what do you know?
- The best password managers to protect your online account
By contrast, rival password manager Dashlane’s Android app has four trackers (opens in a new tab), while Keeper and Bitwarden have two (opens in a new tab) each (opens in a new tab) and 1Password has zero (opens in a new tab). new tab). tab). Presumably iOS apps have not been checked.
Most of the seven LastPass trackers, including four common ones from Google, help control performance and crashes. But at least three trackers — AppsFlyer (opens in a new tab), MixPanel (opens in a new tab), and Segment (opens in a new tab) — are designed.
Analytik-Module haben Darin schlichtwegkomkom -men nichts in voltabel , di in Passwort-Manager-Apps to integrate.”)
LastPass Statement:
The registry (opens in a new tab) that previously reported this story has contacted LastPass.
Call home with lots of data:
Now, as The Register pointed out, LastPass has a lot of free users, although it will lose a lot of them next month due to policy changes, so you might think it has a right to at least make some money from them. .
Kuketz thinks LastPass followers, whom even LastPass may not know much about, sent too much information anyway. He activated LastPass and watched what the trackers sent back to base.
According to him, the MixPanel tracker sent the device manufacturer, Android version, model number, device ID, LastPass account type, and whether the LastPass app had biometric login and autofill enabled.
According to Kuketz, AppsFlyer sent most of this, along with the mobile network operator’s name, an Android advertising ID, and a mysterious username.
Some of these sound good, but other researchers have well established that Android ad tokens can be used to physically track people geographically.
Look what you do:
Kuketz claimed to have created a new account with the LastPass app for Android, and segment tracking sends the message ID, time zone, location country, IP address of the device, and what the LastPass app was doing, in this case “password activation.”
In other words, according to Kuketz, LastPass app trackers can see where you are, what language you’re using, what type of LastPass account you’re using, and what you’re doing
Followers won’t be able to see the password or bank account number you enter, but it’s still scary to find out they’re aware of the fields you’re entering information in.
“Highly sensitive information such as logins, notes, bank accounts, etc. is stored in a password manager,” Kuketz wrote according to Google Translate.