- Vulnerabilities have been discovered in several password managers
- Researchers created theoretical attacks that could steal credentials
- Remediation efforts are underway, with multiple vulnerabilities already patched
27 vulnerabilities across four popular password managers have been discovered by researchers which could allow an attacker to access a victim's password vault to alter and steal credentials
The research from experts at ETH Zurich and the Università della Svizzera italiana (USI) in Switzerland included vulnerabilities in Bitwarden, which was found to be susceptible to 12 attacks, LastPass to seven, Dashlane to six, and 1Password was found to be vulnerable to only two attacks.
In total, these popular password managers cover over 60 million users and almost 125,000 businesses, with the attacks discovered by the researchers focusing on vulnerabilities across four categories - key escrow, vault encryption, sharing, and backwards compatibility.
Key escrow flaws
The key escrow flaws focus on vulnerabilities in account recovery features. The researchers outlined that copies of user’s encryption keys are often stored to assist with account recovery should the user be unable to access their account using their master password.
However, in some cases the keys can be accessed without authentication allowing a hacker to manipulate the recovery process to access the keys and, in turn, a user’s vault. For attacks in this category, Bitwarden was found to be susceptible to three and LastPass to one.
Vault encryption flaws
The second category, vault encryption flaws, focuses on how stored credentials and their associated URL within a user’s vault are encrypted. In several cases, the researchers found that the vault was not encrypted as a single block, but rather each individual item was encrypted separately.
Additionally, other information about the contents of the vault was left unencrypted. LastPass was found to be susceptible to five attacks of this type, Bitwarden to four, and Dashlane to one.
In attacks exploiting this vulnerability, an attacker could theoretically leak information from each credential ‘field’ within the vault to identify its contents. An attacker could also swap items within a field to leak information, or present the URL associated with the credentials in such a way that the password and username could be leaked.
Sharing flaws
Many password managers allow users to share stored credentials and other information as a matter of convenience, such as being able to quickly share the Wi-Fi password with guests.
The researchers found very little user authentication took place when items were shared, allowing several attack vectors that could reveal shared items or enable further attacks. For attacks in this category, Bitwarden was found to be vulnerable to two, with LastPass and Dashlane susceptible to just one.
In one example, an attacker could create an ‘organization’ and add random users using their public key. The password manager would then synchronize the users with the fake organization, making the users appear to belong to the organization. In some cases, the attacker could then add incriminating items to the user’s vault, or the attacker could gain access to all of the stored items within a shared folder.
Backwards compatibility flaws
In order to maintain compatibility between versions, many password managers offer legacy support that enables backwards compatibility with older encryption methods.
This is convenient for organizations and users who need to access credentials encrypted using older methods, but presents several opportunities for attackers to downgrade the encryption used by the client to the older, and therefore weaker, cryptographic algorithms. For attacks in this category, Dashlane was susceptible to four, and Bitwarden to three.
Vulnerabilities addressed and patches released
Ahead of the research being released, the researchers contacted all of the affected password manager providers as part of a 90-day disclosure process. The researchers noted that there is no evidence any of the vulnerabilities have been exploited in the wild, and all of the effected password manager providers have all begun remediation efforts, with several vulnerabilities already patched.
While 1Password was only vulnerable to two attacks, the company responded to the researchers stating that the vulnerabilities are part of architectural limitations, with the vulnerabilities already documented in 1Password’s Security Design Whitepaper.
Speaking to The Hacker News, Jacob DePriest, Chief Information Security Officer and Chief Information Officer at 1Password, said "We are committed to continually strengthening our security architecture and evaluating it against advanced threat models, including malicious-server scenarios like those described in the research, and evolving it over time to maintain the protections our users rely on."
"For example, 1Password uses Secure Remote Password (SRP) to authenticate users without transmitting encryption keys to our servers, helping mitigate entire classes of server-side attacks," DePriest said. "More recently, we introduced a new capability for enterprise-managed credentials, which from the start are created and secured to withstand sophisticated threats."
Bitwarden stated in a blog post that, "All issues identified in the report have been addressed by the Bitwarden team," and thanked the researchers for uncovering the vulnerabilities.
Both Dashlane and LastPass also thanked the researchers, and detailed their own findings of the vulnerabilities and mitigations.
➡️ Read our full guide to the best password manager
1. Best overall:
NordPass
2. Best for mobile:
RoboForm
3. Best for syncing and sharing:
Keeper
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.