Cloud Password Manager Security Breach: 25 Password Recovery Attacks Exposed

Post Views: 5

Study Uncovers Vulnerabilities in Cloud-Based Password Managers

A recent study conducted by researchers at ETH Zurich and Università della Svizzera italiana has uncovered 25 vulnerabilities in popular cloud-based password managers, including Bitwarden, Dashlane, and LastPass. The study, which focused on the password managers’ zero-knowledge encryption (ZKE) promises, found that the vulnerabilities could be exploited by a malicious server to compromise user passwords.

Zero-Knowledge Encryption (ZKE) and Password Manager Vulnerabilities

ZKE is a cryptographic technique that allows a party to prove knowledge of a secret without revealing the secret itself. Password manager vendors implement ZKE to enhance user privacy and security by ensuring that vault data cannot be tampered with. However, the researchers found that the implementations of ZKE in the studied password managers were flawed, leading to a range of vulnerabilities.

Vulnerability Categories

The vulnerabilities were categorized into four broad groups. The first group includes attacks that exploit the “Key Escrow” account recovery mechanism to compromise the confidentiality guarantees of Bitwarden and LastPass. The second group includes attacks that exploit flawed item-level encryption, which can result in integrity violations, metadata leakage, field swapping, and key derivation function (KDF) downgrade. The third group includes attacks that exploit sharing features to compromise vault integrity and confidentiality. The fourth group includes attacks that exploit backwards compatibility with legacy code, resulting in downgrade attacks in Bitwarden and Dashlane.

Vendor Response and Mitigation

In response to the study, the password manager vendors have implemented countermeasures to mitigate the risks. Dashlane has patched an issue that could have allowed a downgrade of the encryption model used to generate encryption keys and protect user vaults. Bitwarden has resolved or is actively remediating seven of the identified issues, while the remaining three issues have been accepted as intentional design decisions necessary for product functionality. LastPass is actively working to add stronger integrity guarantees to better cryptographically bind items, fields, and metadata.

Jacob DePriest, Chief Information Security Officer and Chief Information Officer at 1Password, stated that the company’s security team reviewed the paper in detail and found no new attack vectors beyond those already documented in its publicly available Security Design White Paper. DePriest emphasized the company’s commitment to continually strengthening its security architecture and evaluating it against advanced threat models.

Implications and Conclusion

The study’s findings have significant implications for the security of cloud-based password managers and the protection of user data. As the use of password managers continues to grow, it is essential that vendors prioritize robust security measures to safeguard user data and maintain trust in their products.