What's Happening?
Researchers from the Swiss Federal Institute of Technology (ETH Zürich) have uncovered significant vulnerabilities in popular cloud-based password managers, including Bitwarden, Dashlane, LastPass, and 1Password. These vulnerabilities allow attackers
to view and modify stored passphrases, despite claims of zero-knowledge encryption by the vendors. The research team set up servers mimicking compromised infrastructure to demonstrate how routine user interactions, such as logging in or synchronizing data, could be exploited. They discovered multiple distinct attacks against each password manager, highlighting the potential for hackers to target sensitive data. The study emphasizes the complexity of password manager code, which attempts to balance security with user-friendly features, inadvertently expanding the attack surface. The researchers followed responsible disclosure practices, notifying affected providers 90 days before publication. While some providers were cooperative, not all were quick to address the vulnerabilities.
Why It's Important?
The discovery of these vulnerabilities is significant as it underscores the potential risks associated with using cloud-based password managers, which are widely relied upon by individuals and organizations for securing sensitive information. The findings highlight the need for improved security measures and transparency from password manager providers. The vulnerabilities pose a threat to millions of users and thousands of companies that depend on these services for password management. The research suggests that providers should adopt current cryptographic standards and ensure end-to-end encryption is enabled by default. This development could lead to increased scrutiny of password manager security practices and potentially drive changes in how these services are designed and implemented.
What's Next?
The research team proposes a practical migration path for addressing these security issues, recommending that new customers be enrolled in systems built to current cryptographic standards. Existing customers should have the option to migrate to more secure systems or remain on the old infrastructure with full awareness of the risks. The findings will be presented at the USENIX Security 2026 conference in the United States, potentially prompting further discussions and actions within the cybersecurity community. Providers may face pressure to enhance their security measures and communicate more transparently about the security guarantees their solutions offer.
