1Password has none, KeePass has none... So why are there seven embedded trackers in the LastPass Android app?

Third-party code in security-critical apps is obviously suboptimal, but company says you can opt out

A security researcher has recommended against using the LastPass password manager Android app after noting seven embedded trackers. The software's maker says users can opt out if they want.

German infosec bod Mike Kuketz spotted LastPass's trackers in analysis produced by Exodus, which describes itself as "a non-profit organization led by hacktivists [whose] purpose is to help people get a better understanding of the Android applications tracking issues."

The Exodus report on LastPass shows seven trackers in the Android app, including four from Google for the purpose of analytics and crash reporting, as well as others from AppsFlyer, MixPanel, and Segment. Segment, for instance, gathers data for marketing teams, and claims to offer a "single view of the customer", profiling users and connecting their activity across different platforms, presumably for tailored adverts.

LastPass has many free users – is it a problem if its owner seeks to monetise them in some way? Kuketz said it is. Typically, the way trackers like this work is that the developer compiles code from the tracking provider into their application. The gathered information can be used to build up a profile of the user's interests from their activities, and target them with ads.

Even the app developers do not know what data is collected and transmitted to the third-party providers, said Kuketz, and the integration of proprietary code could introduce security risks and unexpected behaviour, as well as being a privacy risk. These things do not belong in password managers, which are security-critical, he said.

Kuketz also investigated what data is transmitted by inspecting the network traffic. He found that this included details about the device being used, the mobile operator, the type of LastPass account, the Google Advertising ID (which can connect data about the user across different apps). During use, the data also shows when new passwords are created and what type they are. Kuketz did not suggest that actual passwords or usernames are transmitted, but did note the absence of any opt-out dialogs, or information for the user about the data being sent to third parties. In his view, the presence of the trackers demonstrates a suboptimal attitude to security. Kuketz recommended changing to a different password manager, such as the open-source KeePass.

LastPass to limit fans of free password manager to one device type only – computer or mobile – from next month


Do all password apps contain such trackers? Not according to Exodus. 1Password has none. KeePass has none. The open-source Bitwarden has two for Google Firebase analytics and Microsoft Visual Studio crash reporting. Dashlane has four. LastPass does appear to have more than its rivals. And yes, lots of smartphone apps have trackers: today, we're talking about LastPass.

Password managers are essential for most users since the number of passwords to be managed exceeds our ability to remember them, and the complex passwords needed for security are particularly hard to memorise. Using the same password across multiple services is poor practice because it increases the impact if a password is stolen or inadvertently disclosed.

The discussion about trackers in LastPass comes at a bad time. Earlier this month the company (which is owned by LogMeIn) crippled its free offering to support only a single device type, and many users have said they would switch as a result – like user Mattias Ahnberg, who wrote on Twitter: "This means I will finally migrate away to 1Password instead of being blocked by such a limitation that you're adding." Losing free users may even have been the intention, but the tracking issues affect paid users as well, which would be more of a concern.

A LastPass spokesperson told us: "No sensitive personally identifiable user data or vault activity could be passed through these trackers. These trackers collect limited aggregated statistical data about how you use LastPass which is used to help us improve and optimize the product.

"All LastPass users, regardless of browser or device, are given the option to opt-out of these analytics in their LastPass Privacy Settings, located in their account here: Account Settings > Show Advanced Settings > Privacy. We are continuously reviewing our existing processes and working to make them better to comply, and exceed, the requirements of current applicable data protection standards." ®

Editor's note: This article was corrected after publication to refer to the more popular KeePass rather than KeyPass. Neither have trackers.

Send us news

Samsung reveals DDR5 memory module that’s ready for Compute Express Link

Suggests terabyte-packing servers that move data at astounding speed aren’t far off

Samsung has shown off a picture of what it says is the first DDR5 DRAM-based memory module that can talk the language of Compute Express Link (CXL).

As we noted when CXL 2.0 debuted in late 2020, the tech is all about moving data more quickly between processors and devices such as GPUs, SmartNICs and pools of memory.

By building memory that’s CXL-ready, Samsung reckons it’s brought us all a step closer to servers with wider memory channels, and therefore the ability to handle perhaps a terabyte of memory and move data into and out of it at speed. That all adds up to servers that are better-equipped to handle memory-loving applications like – you guessed it – artificial intelligence.

Continue reading

China’s digital currency adds support for AliPay – the Alibaba payment app with over 700 million users

And just like that, the Digital Yuan has its route into the mainstream

Alibaba’s controversial financial services arm, the Ant Group, has been welcomed into trials of China’s digital currency.

China’s state-controlled on Monday reported that the Alipay app has added a feature allowing transactions in the Digital Yuan. Alipay has over 700 million monthly active users in China alone.

State-backed journal China Securities Journal reports that functionality to link to a bank is currently limited, and that no merchants are listed. Nor has the feature been made available to all users. But the Journal reports that real-time, anonymous, transactions are possible.

Continue reading

Vietnam’s biggest industrial conglomerate quits smartphones and tellies biz, bets on electric cars

No breakthroughs left to make in electronics, says CEO as company eyes off IPO-by-SPAC

Vietnam's largest industry conglomerate, Vingroup, has announced it will no longer develop televisions and smartphones under its VinSmart brand and instead redirect resources toward its electric vehicle unit, VinFast.

“This is a strategic step to bring VinFast towards its goal of becoming one of the smartest and most convenient electric car manufacturers in the world,” said Vingroup in a canned statement.

The Vietnamese conglomerate said it won't trash its electronics division, will honor warranties, support products and keep its VinSmart factories operational until existing consumer electronics product life cycles end. At that point, they will outsource some of the factory to partners and shift other facilities to new products.

Continue reading

Tencent research team scores free powerups for electric cars with Raspberry Pi-powered X-in-the-middle attack

Another auto-exploit saw rPi push Telegram messages over CAN bus to brick a car

Black Hat Asia Researchers have used the Black Hat Asia conference to demonstrate the awesome power of the Raspberry Pi as a car-p0wning platform.

Chinese web giant Tencent's Blade Team, a security research group, showed they could circumvent payment schemes used at electric vehicle charging stations. Their exploits also changed the charging voltage and current, an act that could damage the EV.

“The construction of charging stations is accelerating all over the world, but there is little research on the security of electric vehicle infrastructure,” said TenCent Blade Team senior security researcher Wu HuiYu.

Continue reading

Indian government says 5G doesn’t cause COVID-19. Also points out India has no 5G networks

But won’t reveal who it wants banned from social media over less obvious disinformation

As COVID-19 continues to ravage India, the nation’s government has told it populace that 5G signals have nothing to do with the spread of the virus – if only because no 5G networks operate in India.

A statement from the nation’s Department of Telecommunications states: “several misleading messages are being circulated on various social media platforms claiming that the second wave of coronavirus has been caused by the testing of the 5G mobile towers.”

After pointing out that the very notion is a nonsense, the Department points out that India approved 5G trials on May 4th and they won’t start for months.

Continue reading

Trend Micro hosted email service is down, inboxes still stuck in cloudy limbo

Blames spam filters for brownout, warns fix could be 'disruptive'

Trend Micro’s hosted email security product is experiencing a global brownout.

The security company’s Japanese support pages say the incident started on Monday afternoon at 1515 UTC, or a quarter past midnight in Tokyo, and has not been resolved at the time of writing more than ten hours later.

Trend’s sparse notification says the company is “aware of some email delivery delays in Hosted Email Security and Pre-filter products affecting customers in all regions. We are currently addressing the issue and hope to have it resolved as soon as possible.”

Continue reading

Amazon says it destroyed two million knockoffs in 2020, a fraction of the amount it ships

Internet souk said it only approved 6% of new sellers

Amazon's latest brand protection report states it destroyed more than two million pieces of counterfeit goods last year and denied most would-be sellers from setting up shop in its online souk.

"In 2020, Amazon invested over $700m and employed more than 10,000 people to protect our store from fraud and abuse," said Dharmesh Mehta, veep of worldwide customer trust and partner support at Amazon, in the report [PDF], released this week. "As a result, the vast majority of our customers continued to only find authentic products in our store."

For what it's worth, Amazon ships billions of packages a year, and made $21.3bn in pure profit [PDF] in 2020. Having spent a fraction of that on tackling fraud – about three per cent – Bezos & Co say they made significant inroads into thwarting the scourge of knockoffs. In addition to intercepting and binning millions of phony goods, Amazon has set up a Counterfeit Crimes Unit to go after those trying to scam buyers.

Continue reading

NASA's first asteroid sample on its way to Earth after OSIRIS-REx boosts for home

Boffins will have to wait until September 2023 to get their hands on the goodies

OSIRIS-REx, the spacecraft carrying NASA’s first-ever asteroid sample, has started its two-year journey back to Earth, the space agency confirmed on Monday.

On Friday, ground control sent the commands directing the 2,110 kg (4,650 lb) vehicle to fire its main thrusters to get out of asteroid Bennu’s orbit and return to our planet. The team erupted in cheers on Monday after it received confirmation that OSIRIS-REx had successfully fired its engines at 2016 UTC, and was on its way.

"Mission navigation has received confirmation of burn cutoff. OSIRIS-REx is headed home with a souvenir of rocks and dusts from a 4.5-billion-year-old asteroid," the NASA team said.

Continue reading

LibreBMC project to open source baseboard management controllers with security as a priority

Freely available to use, from the hardware schematics to RISC-V cores on an FPGA, to the firmware on top

The OpenPOWER Foundation, formed to promote IBM's open-source POWER instruction set architecture (ISA), on Monday said it is putting together a new working group to develop LibreBMC, claimed to be the first baseboard management controller (BMC) designed with open source software and hardware.

"The LibreBMC project came out of a desire to both utilize and showcase the fully open POWER cores, and apply software driven development to hardware design," said James Kulina, executive director of the OpenPOWER Foundation, in an email to The Register. "We determined the lowly BMC controller – something that the broader industry doesn’t think too much about – is a great use case that if successful will have a real positive impact."

BMCs monitor and manage devices in data centers. They collect sensor data like temperature, humidity, fan speed, power supply voltage, and provide administrative functions like remote access.

Continue reading

Kubecon 2021: A largely dry and corporate affair where the best bits involved a spot of Kubernetes-hacking roleplay

But we heard the message loud and clear – it's pretty much the standard runtime platform now

Kubecon A session on how to hack into a Kubernetes cluster was among the highlights of a Kubecon where the main events were generally bland and corporate affairs, perhaps indicative of the technology now being a de facto infrastructure standard among enterprises.

Kubecon Europe took place online last week with more than 27,000 attendees, according to Chris Aniszczyk, CTO of the Cloud Native Computing Foundation (CNCF), which hosts the Kubernetes project among many others.

That is a substantial increase on the reported 13,000 or so at last year's event, which was also virtual. Kubernetes is huge, and if there was an underlying theme at the event it was that Kubernetes is becoming the standard runtime platform.

Continue reading

US postal service goes all in on AI

Plus: Google boffin who resigned over AI ethics controversy, joins Apple

In Brief What do you know? The US Postal Service uses AI technology and have GPU servers running computer vision algorithms to track items being delivered across the country.

The system is called the Edge Computing Infrastructure Program (ECIP, pronounced EE-sip) and is designed to run inference operations on machine learning models using Nvidia’s GPUs. The USPS relies on deep-learning systems to perform image recognition tasks, and hopefully speed up the mail.

“It used to take eight or 10 people several days to track down items, now it takes one or two people a couple hours,” said Todd Schimmel, the manager who oversees ECIP and other USPS systems. Schimmel hopes USPS will deploy more algorithms that can detect if the correct postage stamp has been used for a package, and to automatically read barcodes even if they’re damaged.

Continue reading