Researchers at ETH Zurich analyzed popular cloud-based password managers under a malicious-server (zero-knowledge) threat model and found multiple ways attackers could compromise usersβ vaults. They demonstrated full vault compromise for Bitwarden and LastPass, shared-vault compromise for Dashlane, and attacks targeting account recovery, SSO, sharing, and vault integrity, while vendors have issued patches and disputed some severity assessments. #ETHZurich #LastPass
Keypoints
- ETH Zurich analyzed Bitwarden, Dashlane, LastPass, and 1Password under a fully malicious-server assumption.
- Researchers focused on weaknesses in zero-knowledge encryption, account recovery, SSO, sharing, backward-compatibility, and vault integrity.
- They achieved full vault compromise for Bitwarden and LastPass and shared-vault compromise for Dashlane, with the ability to view and modify credentials.
- Vendors responded that many attacks require full server compromise and advanced cryptographic techniques and have rolled out patches and mitigations.
- 1Password said some issues were previously documented and highlighted defenses like SRP and enterprise-managed credentials to reduce server-side risk.