Academic research demonstrates attacks against major cloud password managers
Researchers from ETH Zurich and the Università della Svizzera italiana, led by Prof. Kenneth Paterson, published findings demonstrating 27 successful attacks against major password managers Bitwarden, LastPass, and Dashlane under a malicious server model, where an attacker has compromised the provider’s server. The work challenges the practical guarantees implied by “zero-knowledge encryption,” showing that if the server can tamper with what the client receives, some clients may fail to adequately verify integrity and binding between encrypted vault data and associated metadata, enabling vault contents to be exposed or misdirected.
The reported techniques include issues described as missing ciphertext integrity and insufficient cryptographic binding of fields (e.g., URL metadata not being tightly bound to the encrypted secret), enabling attacks such as field-swap scenarios where a decrypted password could be sent to an attacker-controlled domain during normal client behavior (e.g., fetching a site icon). Additional attack paths discussed target password-manager features beyond basic storage—such as account recovery, sharing, and auto-enrolment into organizations—reinforcing that password-manager security depends not only on encryption at rest but also on robust client-side validation and threat models that account for server compromise; broader commentary also notes recent, compounding weaknesses in the password ecosystem, including password-manager design assumptions and other emerging password-related risks.
Sources
Related Stories
Study Finds Password-Recovery Attacks Against Cloud Password Managers Despite Zero-Knowledge Claims
Researchers from **ETH Zurich** and **Università della Svizzera italiana** reported a set of password-recovery attacks affecting major cloud password managers **Bitwarden**, **LastPass**, and **Dashlane**, challenging common “**zero-knowledge encryption**” (ZKE) assurances. The work models a scenario where an attacker controls or compromises the provider-side infrastructure (i.e., a *malicious/hacked server*) and evaluates whether ZKE design goals still prevent credential exposure. The study describes **25 total attacks**—**12** against Bitwarden, **7** against LastPass, and **6** against Dashlane—ranging from **vault integrity violations** to **complete compromise of all vaults in an organization**, with many attacks enabling **recovery of stored passwords**. The researchers attribute the findings to recurring **design anti-patterns** and **cryptographic misconceptions** in account recovery and related workflows, warning that server-side compromise can still translate into customer-impacting password theft even when vault data is marketed as “zero-knowledge” protected.
4 weeks agoPhishing Campaign Impersonates LastPass and Bitwarden to Distribute Remote Access Tools
Threat actors have launched a sophisticated phishing campaign targeting users of the password managers LastPass and Bitwarden. The attackers send well-crafted emails that falsely claim LastPass or Bitwarden has suffered a security breach, urging recipients to download a new, supposedly more secure desktop version of the password manager. These emails are designed to create a sense of urgency and exploit social engineering tactics, with the goal of tricking users into downloading a malicious binary. Upon execution, the binary silently installs Syncro, a remote monitoring and management (RMM) tool commonly used by managed service providers. Once Syncro is installed, the attackers use it to deploy ScreenConnect, a remote support and access software, enabling them to further compromise the victim's system. This access allows the threat actors to deliver additional malware, steal data, and potentially compromise password vaults stored on the affected machines. The phishing emails are sent from addresses such as ‘hello@lastpasspulse[.]blog’ and ‘hello@lastpasjournal[.]blog’, and they mimic official security alerts from LastPass and Bitwarden. The messages claim that older .exe installations of the password managers are vulnerable and that users must upgrade to a new MSI installer to protect their vault data. LastPass has publicly denied any breach of its systems, clarifying that the emails are fraudulent and part of a social engineering scheme. The campaign began over a weekend, likely to take advantage of reduced staffing and slower detection during the holiday period. Bitwarden users have also been targeted with similar phishing emails, indicating a broad scope for the campaign. The attackers' use of legitimate remote access tools like Syncro and ScreenConnect makes detection and remediation more challenging for victims. The campaign follows a similar pattern to previous phishing attacks against users of other password managers, such as 1Password. Security experts warn that the use of trusted brand names and plausible security narratives increases the likelihood of user compromise. Organizations are advised to educate users about the risks of unsolicited security alerts and to verify any requests for software updates directly with the vendor. The incident highlights the ongoing threat posed by phishing campaigns that leverage trusted brands and remote access tools to gain control over user systems and sensitive data. Both LastPass and Bitwarden have issued statements to reassure users and provide guidance on identifying and avoiding these phishing attempts. The campaign demonstrates the evolving tactics of cybercriminals in targeting password manager users, who often have access to highly sensitive credentials. Security teams should monitor for unauthorized installations of RMM tools and implement controls to prevent lateral movement and data exfiltration. The incident underscores the importance of layered security defenses and user awareness training in mitigating the impact of phishing attacks.
5 months ago
Password Manager Security and Trust: Bitwarden ‘Cupid Vault’ Launch and LastPass Post-Breach Rebuild
Bitwarden launched **‘Cupid Vault’**, a feature aimed at safer credential sharing by letting free-tier users create a two-person shared vault as an *Organization* and invite a trusted person via email. The shared vault is **isolated** from the user’s personal vault, supports revocation of access, and includes a **fingerprint phrase** verification step intended to reduce adversary-in-the-middle enrollment risks; both members can edit or delete items in the shared collection. LastPass’s CEO described the company’s ongoing effort to rebuild trust and security culture following the **2022 intrusions**, which began with access to parts of the development environment via a **compromised developer account** and theft of source code/technical data. LastPass said information from that initial compromise enabled subsequent access to customer-related data, including **customer account metadata** (e.g., names, billing addresses, emails, phone numbers, IP addresses) and a **backup copy of encrypted customer vault data**, framing the incident as a catalyst for significant security program changes.
1 months ago