Password Managers Exposed: Vulnerability to Malicious Server Compromise
Researchers Identify Vulnerabilities in Cloud-Based Password Managers
Researchers from ETH Zurich have identified vulnerabilities in popular cloud-based password managers that could allow attackers to compromise user vaults and access sensitive data. The researchers targeted zero-knowledge encryption, a security model in which the service provider cannot access the user’s encrypted data, even if the provider’s servers are compromised.
Analysis of Password Managers
The researchers analyzed password managers from Bitwarden, Dashlane, LastPass, and 1Password, which collectively have millions of users and account for a significant share of the market. Although 1Password was included in the research, the analysis focused on the other password managers.
Attacks on Password Managers
The researchers conducted several types of attacks against each of the tested password managers to degrade security guarantees, undermine expected protections, and fully compromise user accounts. The attacks targeted features used for account recovery and single sign-on (SSO) login, as well as features designed for backward compatibility. The researchers also leveraged improper vault integrity and attacks enabled by sharing features, which allow families or businesses to use the same credentials.
Results of the Attacks
For each of the tested password managers, the researchers managed to achieve vault compromise, including full vault compromise for Bitwarden and LastPass, and shared vault compromise for Dashlane. In many cases, an attacker could not only view users’ credentials but also modify them.
Vendor Responses
Dashlane pointed out that some of the findings require “either specific circumstances and/or an extremely significant window of time.”
Bitwarden noted that seven of the 10 issues reported by the researchers have been or are in the process of being addressed, while three of the flaws “have been accepted as intentional design decisions necessary for product functionality.”
LastPass appreciated the research but disagreed with some of the researchers’ assessments. “While our own assessment of these risks may not fully align with the severity ratings assigned by the ETH Zurich team, we take all reported security findings seriously,” a spokesperson stated. “We have already implemented multiple near-term hardening measures while also establishing plans to remediate or reinforce the relevant components of our service on a timeline commensurate with the assessed risk.”
1Password also responded to the research, stating that the attack vectors identified by the researchers had already been documented in the company’s publicly available Security Design White Paper. “We are committed to continually strengthening our security architecture and evaluating it against advanced threat models, including malicious-server scenarios like those described in the research, and evolving it over time to maintain the protections our users rely on,” said Jacob DePriest, CISO and CIO of 1Password.
Conclusion
The researchers’ findings highlight the importance of robust security measures for password managers, particularly those that use zero-knowledge encryption. While the vendors have taken steps to address the vulnerabilities, the research demonstrates the ongoing need for vigilance and innovation in the field of password management security.
About Author
English