Study Reveals 25 Password Recovery Attacks on Major Cloud Managers

A recent study has highlighted significant vulnerabilities in several cloud-based password managers, including Bitwarden, LastPass, and Dashlane. Conducted by researchers from ETH Zurich and Università della Svizzera italiana, the analysis indicates that these platforms are subject to password recovery attacks, which could compromise user data.

Key Findings of the Study on Password Recovery Attacks

The study revealed that the password recovery vulnerabilities can lead to severe integrity violations or even total compromises of user vaults. Researchers Matteo Scarlata, Giovanni Torrisi, Matilda Backendal, and Kenneth G. Paterson outlined the threats, noting that many attacks are designed to recover passwords.

Understanding Zero-Knowledge Encryption

The analysis examined the effectiveness of zero-knowledge encryption (ZKE) implemented by these password managers. ZKE is a cryptographic method that ensures only the data owner can access encrypted information without exposing the actual secret. This differs from end-to-end encryption (E2EE), which primarily secures data in transit.

Categories of Attacks Identified

The research categorized the vulnerabilities into four primary types:

• Key Escrow Attacks: Exploiting account recovery features in Bitwarden and LastPass, jeopardizing confidentiality.
• Flawed Item-Level Encryption: Problems with encrypting data as separate objects, leading to integrity violations and metadata leakage.
• Sharing Feature Exploits: Attacks targeting vault sharing capabilities, compromising data privacy and security.
• Backwards Compatibility Vulnerabilities: Weaknesses in legacy code influencing Bitwarden and Dashlane’s downgrade attacks.

Impact on Other Password Managers

The study also noted potential vulnerabilities in 1Password, particularly concerning item-level encryption and sharing, despite the company’s assertion that these results arise from already acknowledged architectural limitations.

Industry Response and Remediation Efforts

In response to the findings, Jacob DePriest, Chief Information Security Officer at 1Password, stated that no new vulnerabilities were discovered beyond those already documented. The company emphasizes its commitment to reinforcing security against advanced threats, including those set forth in the study.

Other password managers like Bitwarden, LastPass, and Dashlane are actively working on countermeasures. For instance:

• Bitwarden has resolved several vulnerabilities, with a few accepted as design decisions.
• Dashlane has updated its systems to eliminate legacy cryptography, addressing risks that could allow weak Master Passwords.
• LastPass is enhancing integrity guarantees for user data.

This ongoing commitment to cybersecurity is critical, as collectively, these password managers support over 60 million users and nearly 125,000 businesses globally. While no current exploits have been reported, heightened vigilance is necessary to protect sensitive user data from potential threats.