Researchers from ETH Zurich have uncovered 25 serious vulnerabilities in three leading cloud-based password managers: Bitwarden, LastPass, and Dashlane.
These flaws enable a malicious server to bypass zero-knowledge encryption claims, allowing unauthorized access, modification, and recovery of users’ stored passwords and vault data.
Bitwarden, LastPass, and Dashlane collectively serve over 60 million users and hold significant market share. The analysis targets their client-server interactions under a fully malicious server threat model, where servers deviate arbitrarily from protocols.
Vendors advertise “zero-knowledge encryption,” implying servers cannot access plaintext vaults even if compromised, but the researchers demonstrate repeated failures in confidentiality and integrity protections.
The 25 attacks span four categories: key escrow mechanisms, item-level vault encryption flaws, sharing features, and backwards compatibility issues.
Key Escrow Attacks
These target account recovery and SSO login mechanisms enable full vault compromise via unauthenticated keys. Bitwarden’s BW01-BW03 allow malicious auto-enrollment, key rotation, and KC conversion through key substitution upon joining organizations or dialogs. LastPass’s LP01 exploits password reset flaws similarly.
Item-Level Encryption Flaws
Flawed per-item encryption leads to integrity violations, metadata leaks, field swapping, and KDF downgrades. Bitwarden’s BW04-BW07 expose unprotected metadata, swap fields, decrypt icons, and remove iterations for brute-force. LastPass LP02-LP06 and Dashlane DL01 enable malleable vaults and replay attacks due to AES-CBC and missing bindings.
Unauthenticated public keys compromise organizations and shared vaults. Bitwarden’s BW08-BW09 inject or overwrite organizations; LastPass LP07 and Dashlane DL02 overwrite sharing keys upon joining. Impacts scale to team-wide access.
Backwards Compatibility Issues
Legacy code support triggers downgrades to insecure modes like CBC. Bitwarden’s BW10-BW12 disable protections and overwrite keys; Dashlane’s DL03-DL06 enable injections, KDF removal, and “Lucky 64” after syncs. Dashlane patched via extension 6.2544.1.
In Bitwarden, 12 attacks include malicious auto-enrollment (BW01), where unauthenticated organization public keys allow key substitution and full vault compromise upon joining any group.
LastPass faces seven issues, such as lacking ciphertext integrity with AES-CBC (LP05), enabling malleable vaults, and field swapping. Dashlane has six vulnerabilities, like transaction replay (DL01) due to shared keys across transactions, violating vault integrity.
| Attack Ref | Product | Cause | Impact | Client Interaction |
|---|---|---|---|---|
| BW01 | Bitwarden | Lack of Key Auth, Key Substitution | Full vault compromise | 1 join |
| BW02 | Bitwarden | Key Substitution | Full vault compromise | 1 rotation |
| BW03 | Bitwarden | Lack of Key Auth, Key Substitution | Full vault compromise | 1 dialog |
| LP01 | LastPass | Lack of Key Auth | Full vault compromise | 1 login |
| BW04 | Bitwarden | Lack of Auth Enc | Read/modify metadata | – |
| BW05 | Bitwarden | Lack of Key Sep | Field/item swapping | – |
| BW06 | Bitwarden | Lack of Key Sep | Loss of confidentiality | 1 open |
| BW07 | Bitwarden | Lack of Auth Enc | No brute-force protection | 1 login |
| LP02 | LastPass | Lack of Auth Enc | Field/item swapping | – |
| LP03 | LastPass | Lack of Key Sep | Loss of confidentiality | 1 open |
| LP04 | LastPass | Lack of Auth Enc | No brute-force protection | 1 login |
| LP05 | LastPass | Lack of Auth Enc | Loss of vault integrity | – |
| DL01 | Dashlane | Lack of Key Sep | Loss of vault integrity | – |
| BW08 | Bitwarden | Lack of Key Auth | Add users to orgs | 1 sync |
| BW09 | Bitwarden | Lack of Key Auth, Key Substitution | Org compromise | 1 join |
| LP07 | LastPass | Lack of Key Auth | Shared vault compromise | 1 join |
| DL02 | Dashlane | Lack of Key Auth | Shared vault compromise | 1 join |
| BW10 | Bitwarden | Lack of Auth Enc | Downgrade key hierarchy | – |
| BW11 | Bitwarden | CBC Support | Loss of confidentiality | 2 logins |
| BW12 | Bitwarden | CBC Support | Full vault compromise | 2 logins |
| DL03 | Dashlane | CBC Support | Loss of vault integrity | 104 syncs |
| DL04 | Dashlane | CBC Support | No brute-force protection | 104 syncs |
| DL05 | Dashlane | CBC Support | Loss of confidentiality | 105 syncs |
| DL06 | Dashlane | CBC Support | No brute-force protection | 104 syncs |
| LP06 | LastPass | Lack of Auth Enc | Read/modify metadata | – |
Many attacks require minimal interaction, like a single login or sync, exploiting unauthenticated public keys, missing key separation, and legacy AES-CBC support. For instance, icon URL decryption leaks (BW06, LP03) reveal passwords via client requests. KDF iteration downgrades (BW07, LP04) accelerate brute-force by up to 300,000x.
Researchers disclosed findings responsibly: Bitwarden on January 27, 2025; LastPass on June 4, 2025; Dashlane on August 29, 2025, with 90-day remediation windows.
Bitwarden advanced fixes for several, including minimum KDF iterations and CBC removal; LastPass addressed LP03; Dashlane mitigated some CBC issues. Recommended mitigations include authenticated encryption (AE), full key separation (KS), public key authentication (PKA), and ciphertext signing (SC).
Users should update clients, enable per-item keys where available, and monitor vendor patches. The study urges formal security models for password managers akin to E2EE cloud storage. Self-hosted deployments remain vulnerable if servers are compromised.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
