The three major cloud-based password managers, such as Bitwarden, LastPass, and Dashlane, collectively serve approximately 60 million users.
Despite marketing claims of “zero-knowledge encryption,” the research team demonstrated that these platforms contained vulnerabilities allowing attackers to view or modify stored credentials.
The findings challenge the industry standard assumption that providers cannot access user data even if their servers are compromised.
Researchers from the Applied Cryptography Group at ETH Zurich have identified critical security flaws in the architecture of three major cloud-based password managers.
The research team, led by Professor Kenneth Paterson, operated under a “malicious server threat model.”
In this scenario, the researchers simulated a compromised service provider to test how the client application such as a web browser extension would react to unexpected server behavior.
The results were significant, revealing a total of 25 distinct attack vectors. The breakdown included 12 vulnerabilities in Bitwarden, 7 in LastPass, and 6 in Dashlane.
These exploits ranged from targeted integrity violations against specific user vaults to the complete compromise of all vaults within an organization.
A primary cause for these vulnerabilities appears to be the complexity of the code required to support user-friendly features.
Features such as password recovery and account sharing often force developers to implement complex logic that expands the attack surface.
Matteo Scarlata, a doctoral student involved in the study, noted that many providers continue to rely on obsolete cryptographic technologies from the 1990s.
Vendors are reportedly hesitant to update these legacy systems due to fears that modernizing the architecture could accidentally lock users out of their data or disrupt service availability for enterprise clients.
The implications of these findings are severe for the “zero-knowledge” security model. Typically, these providers assure customers that data is encrypted on the device before reaching the cloud, making it unreadable to the server.
However, the ETH Zurich team successfully bypassed these protections using simple interactions that browsers perform routinely, such as synchronizing data or opening a vault.
This proves that a sophisticated hacker with server access could manipulate the data stream to decrypt sensitive information.
Following standard responsible disclosure protocols, the researchers notified the affected vendors and provided a 90-day window for remediation before publishing their findings.
While most providers were cooperative, the speed and willingness to implement fixes varied.
The researchers suggest that users should prioritize password managers that undergo external audits and offer transparency regarding their security architecture.
They also recommend that vendors offer a migration path for users to move to updated, modern cryptographic systems rather than patching legacy code indefinitely.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google
