Academics say they found a series of flaws affecting three popular password managers, all of which claim to protect user credentials in the event that their servers are compromised.
The team, comprised of researchers from ETH Zurich and Università della Svizzera italiana (USI), examined the “zero-knowledge encryption” promises made by Bitwarden, LastPass, and Dashlane, finding all three could expose passwords if attackers compromised servers.
The premise of zero-knowledge encryption is that user passwords are encrypted on their device, and the password manager’s server acts merely as a dumb storage box for the encrypted credentials. Therefore, in the event that the vendor’s servers are controlled by malicious parties, attackers wouldn’t be able to view users’ secrets.
As one of the most popular alternatives to Apple and Google’s own password managers, which together dominate the market, the researchers found Bitwarden was most susceptible to attacks, with 12 working against the open-source product. Seven distinct attacks worked against LastPass, and six succeeded in Dashlane.
The attacks don’t exploit weaknesses in the same way that remote attackers could exploit vulnerabilities and target specific users. Instead, the researchers worked to test each platform’s ability to keep secrets safe in the event they were compromised.
In most cases where attacks were successful, the researchers said they could retrieve encrypted passwords from the user, and in some cases, change the entries.
They used a malicious server model to test all of this – setting up servers that behaved like hacked versions of those used by the password managers. Seven of Bitwarden’s 12 successful attacks led to password disclosure, whereas only three of LastPass’s attacks led to the same end, and one for Dashlane.
All three vendors claim their products come with zero-knowledge encryption. The researchers noted that none of them outline the specific threat model their password manager secures against.
The researchers said: “The majority of our attacks require simple interactions which users or their clients perform routinely as part of their usage of the product, such as logging in to their account, opening the vault and viewing the items, or performing periodic synchronization of data.
“We also present attacks that require more complex user actions, such as key rotations, joining an organization, sharing credentials, or even clicking on a misleading dialog. Although assessing the probability of these actions is challenging, we believe that, within a vast user base, many users will likely perform them.”
In the full paper [PDF], they went on to argue that password managers have escaped deep academic scrutiny until now, unlike end-to-end encrypted messaging apps. It is perhaps due to a perception that password managers are simple applications – deriving keys and then encrypting them. However, their codebases are more complex than that, often offering features such as the ability to share accounts with family members and featuring various ways to maintain backward-compatibility with older encryption standards.
Kenneth Paterson, professor of computer science at ETH Zurich, said “we were surprised by the severity of the security vulnerabilities” affecting the password managers.
“Since end-to-end encryption is still relatively new in commercial services, it seems that no one had ever examined it in detail before.”
The team’s primary recommendation for vendors is to ensure that new users have access to the latest cryptographic standards by default.
One of the main reasons password manager providers haven’t upgraded their codebases is that they fear doing so would irrevocably lose existing users’ secrets. The researchers said that some vendors have gone to extreme lengths to support older formats, which in turn creates complexity in the code.
The best way forward? The researchers suggested ensuring all new users are onboarded with the latest cryptographic standards, while offering existing customers the choice between migrating to them or staying put, but with the knowledge of the vulnerabilities.
“We want our work to help bring about change in this industry,” said Paterson. He claimed: “The providers of password managers should not make false promises to their customers about security but instead communicate more clearly and precisely what security guarantees their solutions actually offer.”
Vendor response
Dashlane published a comprehensive response, thanking the researchers, and said the infoseccers’ decision to test using a malicious server model represented “a useful exercise.”
The vendor also confirmed it had fixed the most serious issue – the attack researchers showed could lead to the disclosure of a password, and published a separate security advisory devoted to that.
“Dashlane has fixed an issue that, if Dashlane’s servers were fully compromised, could have allowed a downgrade of the encryption model used to generate encryption keys and protect user vaults,” it said. “This downgrade could result in the compromise of a weak or easily guessable Master Password, and the compromise of individual ‘downgraded’ vault items.
“This issue was the result of the allowed use of legacy cryptography. This legacy cryptography was supported by Dashlane in certain cases for backward compatibility and migration flexibility.
“Dashlane has removed support for this legacy cryptography, which means these downgrade attacks are no longer possible.”
Bitwarden, meanwhile, said in a post: “Bitwarden has never been breached and believes third-party security assessments like these are critical to continue providing state of the art security to individuals and organizations.”
It added: “Thank you ETH Zurich for your insights and commitment to stronger password security.”
A LastPass spokesperson told The Reg: “Our Security team is grateful for the opportunity to engage with ETH Zurich and benefit from their research. While our own assessment of these risks may not fully align with the severity ratings assigned by the ETH Zurich team, we take all reported security findings seriously. We have already implemented multiple near‑term hardening measures while also establishing plans to remediate or reinforce the relevant components of our service on a timeline commensurate with the assessed risk.”
The researchers said the vendors responded constructively to their outreach attempts and were working to mitigate the exploited weaknesses.
The researchers said it is highly likely that the same weaknesses they highlighted in the study apply to other vendors across the industry, and couldn’t rule out the possibility the attacks are already known to the more advanced hackers, including those with government backing. ®