Researchers called on LastPass, Dashlane, and Bitwarden to up defenses after severe flaws put 60 million users at risk – here’s how each company responded

Password managers may not be as secure as many assume, with researchers uncovering multiple attack vectors across three popular systems serving 60 million users.

Security researchers from ETH Zurich studied the architecture of Bitwarden, LastPass, and Dashlane, which between them hold 23% of the password manager market.

The researchers demonstrated 12 attacks that would work on Bitwarden, seven on LastPass, and six on Dashlane, prompting calls for each to bolster defense capabilities.

“We were surprised by the severity of the security vulnerabilities,” said Kenneth Paterson, Professor of Computer Science at ETH Zurich, in a blog post from ETH Zurich.

The study focused on password manager claims that they use "zero-knowledge encryption," which means the companies don't know what users have stored.

"The promise is that even if someone is able to access the server, this does not pose a security risk to customers because the data is encrypted and therefore unreadable," said ETH Zurich researcher Matilda Backendal. "We have now shown that this is not the case."

Testing password managers

To test security capabilities, researchers set up their own servers that would act as though they were hacked password manager servers. They found they could alter passwords, access vaults, and more.

The study revealed "strange code architecture" that PhD student Matteo Scarlata attributed to the companies trying to improve ease-of-use for customers, such as offering password recovery or account sharing, as well as using out-of-date cryptography for accessibility.

"As a result, the code becomes more complex and confusing, and it expands the potential attack surface for hackers," Scarlata said.

Researchers urged password manager providers to use the most up-to-date cryptographic standards for all new customers, while existing customers could be offered the chance to migrate to updated systems or stick with older, compatible ones – providing they’re informed of the potential risks.

“We want our work to help bring about change in this industry,” Paterson said. “The providers of password managers should not make false promises to their customers about security but instead communicate more clearly and precisely what security guarantees their solutions actually offer.”

Industry response

ITPro contacted each of the companies for comment, but did not receive a response by time of publication.

However, all three have already published blog posts addressing the paper and issued fixes for the addressable flaws and used hardening measures for other concerns, thanking the researchers for their efforts.

Dashlane said the methodology was "useful", though Bitwarden also noted that the server-takeover scenario has never hit any password management product as far as it's aware.

Dashlane and LastPass stressed that there was no evidence that these flaws had been exploited as yet; Bitwarden added it has never suffered any security breach.

"Customers should continue using LastPass as normal," LastPass noted. "To continue to receive the best possible secure access experience, we always recommend that users check to ensure they are up-to-date and using the latest version of our browser extensions and apps."

Both companies noted they were selected by the researchers because their source code is publicly available. "We made that choice intentionally," Dashlane said in its blog post.

"Transparency makes it easier for third parties to inspect our design and hold us accountable. Security improves when systems are open to review."

Fixing the flaws

Dashlane explained that it fixed an issue that allowed the use of legacy cryptography to enable backwards compatibility and migration flexibility that could have allowed the injection of code into a secure vault, weakening the encryption that protects keys and user data.

"It’s important to note that the exploitation of this issue would require full compromise of a password manager’s servers, paired with a highly sophisticated threat actor able to execute cryptographic attacks, and an extremely significant window of time," Dashlane added.

Dashlane added that two other attack vectors detailed in the report relate to wider architectural issues that are well known in the encryption community, namely public key authenticity in sharing and transaction-based synchronization.

The password manager firm noted it – and indeed the wider industry – were well aware of both concerns, and had built in additional protections with that in mind.

"Public key authentication at scale is a known challenge that we as an industry must solve," the post added.

FOLLOW US ON SOCIAL MEDIA

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.