Academic researchers have disclosed a series of security weaknesses in several widely used cloud-based password managers that could allow attackers to view, alter, or fully compromise stored credentials, even in environments advertised as zero-knowledge.
The findings come from a study conducted by teams at ETH Zurich and the Switzerland’s University of Lugano (USI), which examined the security of Bitwarden, LastPass, and Dashlane under a malicious server threat model. In this scenario, attackers are assumed to gain control over the service’s backend infrastructure rather than a user’s device.
According to the researchers, they demonstrated 25 viable attack scenarios in total with 12 affecting Bitwarden, 7 affecting LastPass, and 6 affecting Dashlane. The attacks range from integrity violations (where stored passwords can be altered without detection) to scenarios that allow attackers to recover or manipulate credentials stored in user and organizational vaults.
The study challenges common assumptions around end-to-end and zero-knowledge encryption. While such designs are intended to prevent service providers from accessing plaintext passwords, the researchers showed that architectural and cryptographic weaknesses could still be exploited if a server is compromised or behaves maliciously.
Researchers emphasized that their work doesn’tt indicate active exploitation or real-world compromise of the affected services. The findings are intended to highlight realistic threat models that are often overlooked and to encourage stronger protections against server-side attacks.
All affected vendors were notified through a coordinated disclosure process. The researchers noted that password managers remain high-value targets and that server compromise scenarios should be considered a critical part of modern security planning.
Users are advised to stay informed about vendor updates and to remain aware that no security model is immune to all classes of attack, particularly as cloud-based services continue to play a central role in credential management.
Leave a Reply