Vulnerabilities Discovered in Cloud-Based Password Managers

Recent accusations from a group of Swiss and Italian security researchers challenge the advertised security of popular cloud-based password managers, namely Bitwarden, Dashlane, and LastPass. Their assertions expose significant vulnerabilities within the framework of “zero knowledge encryption,” claiming it does not offer the protections these companies purport.

This research team from ETH Zurich and USI Università della Svizzera italiana demonstrated that the claims made by these vendors regarding their password vault security significantly overstate the actual protective measures in place. They highlight the potential risks associated with malicious server threats, suggesting that even if hackers manage to gain server access, the security assurances are fundamentally compromised.

The concept of “zero knowledge encryption” is intended to prevent service providers from accessing user passwords. However, the researchers found that this term lacks a formal definition within the industry and functions more as a marketing tactic. The researchers indicated that attacks could potentially undermine user trust by accessing these encrypted vaults.

Historically, password managers have been endorsed as a solution for online security, enabling users to create complex, unique passwords for various platforms. Yet, the researchers noted that the sensitive information relentlessly stored within these password managers makes them attractive targets for determined cybercriminals capable of executing sophisticated attacks.

By utilizing a “malicious server threat model,” the team identified twelve distinct attacks against Bitwarden, seven against LastPass, and six against Dashlane. Each attack demonstrated the potential for compromising user passwords, which fundamentally contradicts the core promise of these password management services: secure password storage.

The findings categorize the vulnerabilities into four critical areas: weaknesses in key escrow features related to single sign-on and account recovery, breaches of vault integrity, inadequacies in sharing functionalities, and the exploitation of backward compatibility features. Such insights invite deeper scrutiny into the prevailing security measures employed by these services.

The researchers shared their findings with the vendors and set a public disclosure timeline, collaborating with them to develop potential fixes. Although all three companies expressed a commitment to address the discovered vulnerabilities, some were notably less responsive in implementing critical updates.

In light of these revelations, it is clear that organizations employing these cloud-based password managers should reassess their security posture, considering the potential adversary tactics from the MITRE ATT&CK framework—such as initial access and persistence—that could have been exploited during these attacks. The alarming outcomes of this research underline the need to enhance security measures and clarify product marketing representations, ensuring users can make fully informed choices about their online security.