Major Password Managers Have Design Flaws Enabling Vault Attacks
▼ Summary
– Researchers found that cloud-based password managers with “zero-knowledge encryption” can be compromised if their servers are breached, allowing attackers to recover or manipulate passwords.
– The study tested four popular managers (Bitwarden, LastPass, Dashlane, 1Password), identifying multiple attack scenarios across them.
– Attackers can exploit design weaknesses in features like key escrow, item-level encryption, credential sharing, and backwards compatibility to compromise vaults.
– Vendors have been notified and have patched some flaws, though they note that certain security challenges, like verifying public keys, remain industry-wide issues.
– While these attacks require significant skill and are not widely observed, the researchers warn that high-risk individuals or organizations could be targeted by advanced threat actors.
A recent investigation reveals that several leading cloud-based password managers contain significant design weaknesses, potentially allowing attackers to compromise encrypted user vaults. While these services market “zero-knowledge” encryption, meaning the provider cannot decrypt stored data, new research demonstrates that a compromised server could still lead to a full breach of user passwords. The findings challenge a core security assumption for millions of individuals and businesses relying on these tools to protect their digital lives.
Academic researchers from ETH Zurich and Università della Svizzera italiana conducted a thorough security analysis of four prominent services: Bitwarden, LastPass, Dashlane, and 1Password. They identified multiple attack scenarios, with twelve against Bitwarden, seven targeting LastPass, six for Dashlane, and three concerning 1Password. These vulnerabilities stem from common features and architectural choices rather than simple coding errors.
The attacks exploit four primary categories of functionality. Key escrow systems, used for vault or account recovery if a master password is forgotten, can introduce risks. Item-level vault encryption, where individual data pieces are encrypted separately, often combines with unencrypted or unauthenticated metadata, creating openings. Features for credential sharing and maintaining backwards compatibility with older client software also present exploitable weaknesses.
Underlying these issues are specific design flaws. These include missing key authentication, a lack of authenticated encryption, poor key separation, and legacy cryptographic support. When an attacker tampers with data on the server, such as manipulating keys, metadata, or ciphertext, these weaknesses can lead to severe outcomes. In many cases, attackers could fully compromise a vault, steal all passwords, or silently alter its contents. Alarmingly, several of these attacks require little to no user interaction, sometimes needing only a routine login or sync action.
“We were surprised by the severity of the security vulnerabilities,” stated Prof. Dr. Kenneth Paterson of ETH Zurich’s Applied Cryptography Group. He suggested that because end-to-end encryption in commercial services is relatively new, it may not have undergone this level of detailed scrutiny before.
The research team proposed a comprehensive set of changes to mitigate all identified attacks. They acknowledged, however, that vendors might be hesitant to implement fixes that could break functionality or, in a worst-case scenario, lock users out of their vaults permanently. To navigate this, the researchers recommended using specialized client software solely to force a secure migration to a new, more robust vault format, thereby preserving access while upgrading security for everyone.
All four vendors were notified of the findings months before public disclosure. Each has since worked to address some of the flaws. They also pointed out that certain challenges, like verifying the authenticity of public keys, remain unsolved industry-wide problems. While each company valued the research for improving user safety, they emphasized no evidence suggests these attacks have been used against customers in the wild.
The researchers concur that average users face a low risk, as executing these attacks demands considerable skill and resources. However, they warned that high-risk individuals and organizations could be viable targets. The team could not rule out the possibility that sophisticated threat actors, including state-sponsored groups, might already be aware of or using similar methods. The best defense for at-risk parties is to trust that vendors will rapidly patch their systems, a process the researchers actively supported through their engagement.
In a subsequent statement, 1Password’s Chief Information Security Officer, Jacob DePriest, noted their security team’s review found no new attack vectors beyond those already documented in their public security white paper. He reiterated the company’s commitment to continually strengthening its architecture against advanced threats, including malicious-server scenarios. He highlighted their use of the Secure Remote Password (SRP) protocol to authenticate users without transmitting keys to servers, which helps mitigate entire classes of server-side attacks, and pointed to recent enhancements for enterprise-managed credentials designed to withstand sophisticated threats.
(Source: HelpNet Security)
