Researchers from ETH Zurich have discovered serious security vulnerabilities in three popular, cloud-based password managers. During testing, they were able to view and even make changes to stored passwords.

ETH Zurich researchers have discovered major security flaws in three popular cloud-based password managers - Bitwarden, LastPass, and Dashlane - which together serve 60 million users[1]. The team demonstrated 25 different attacks that could compromise user passwords, including 12 on Bitwarden, 7 on LastPass, and 6 on Dashlane.

The researchers found they could view and modify stored passwords by setting up servers that mimicked compromised password manager servers[1:1]. These attacks worked through routine user actions like logging in, viewing passwords, or syncing data. “We were surprised by the severity of the security vulnerabilities,” said Professor Kenneth Paterson of ETH Zurich[1:2].

The vulnerabilities stem from complex code designed to enhance user-friendliness, such as password recovery and family sharing features. The providers were given 90 days to fix the security issues before publication[1:3].

The researchers recommend users choose password managers that:

  • Are transparent about security vulnerabilities
  • Undergo external audits
  • Have end-to-end encryption enabled by default[1:4]

  1. ETH Zurich - Password managers less secure than promised ↩︎ ↩︎ ↩︎ ↩︎ ↩︎

  • ThunderComplex@lemmy.today
    0·
    11 hours ago

    Cloud based password managers are a scam imo. They get total control of your data AND dictate how you can access it (paywalls, ads etc) meanwhile you get dick. On top of that the headline kinda made it sound like real password managers (like keepass) could have been compromised too.

    Doesn’t surprise me that cloud based ones are vulnerable. And when they get breached they just write a oopsie apology letter and continue going about their business.