Cloud Password Manager Security Breach: 25 Password Recovery Attacks Exposed

Post Views: 5

Password Recovery Attacks Against Cloud-Based Password Managers

A recent study conducted by researchers from ETH Zurich and Università della Svizzera italiana has identified 25 password recovery attacks that can be launched against major cloud-based password managers, including Bitwarden, Dashlane, and LastPass. These attacks can compromise the security of user vaults and potentially lead to the recovery of passwords.

Zero-Knowledge Encryption Promises

The study focused on the zero-knowledge encryption (ZKE) promises made by these password managers, which are designed to ensure that user data remains confidential and secure. However, the researchers found that the implementation of ZKE in these solutions is flawed, allowing malicious actors to launch attacks that can compromise the integrity and confidentiality of user vaults.

Categories of Attacks

The attacks identified in the study fall into four broad categories. The first category includes attacks that exploit the “Key Escrow” account recovery mechanism, which can compromise the confidentiality guarantees of Bitwarden and LastPass. The second category includes attacks that exploit flawed item-level encryption, which can result in integrity violations, metadata leakage, and key derivation function (KDF) downgrades. The third category includes attacks that exploit sharing features to compromise vault integrity and confidentiality. The fourth category includes attacks that exploit backwards compatibility with legacy code, resulting in downgrade attacks in Bitwarden and Dashlane.

Vulnerabilities and Affected Users

The study found that Bitwarden is vulnerable to 12 distinct attacks, LastPass is vulnerable to seven attacks, and Dashlane is vulnerable to six attacks. Collectively, these password management solutions serve over 60 million users and nearly 125,000 businesses.

According to Jacob DePriest, Chief Information Security Officer and Chief Information Officer at 1Password, the company’s security reviewed the paper in detail and found no new attack vectors beyond those already documented in its publicly available Security Design White Paper.

Response from Password Managers

Bitwarden, Dashlane, and LastPass have all implemented countermeasures to mitigate the risks highlighted in the research. LastPass is planning to harden its admin password reset and sharing workflows to counter the threat posed by a malicious intermediary. Dashlane has patched an issue that could have allowed a downgrade of the encryption model used to generate encryption keys and protect user vaults.

Importance of Robust Security Measures

The study’s findings highlight the importance of robust security measures in cloud-based password managers. While these solutions are designed to provide an additional layer of security for users, they can also introduce new vulnerabilities if not implemented correctly. As the use of cloud-based password managers continues to grow, it is essential that vendors prioritize security and implement robust measures to protect user data.