Researchers reveal flaws in several major Cloud Password Managers that could expose vaults

Researchers from ETH Zurich and Università della Svizzera italiana disclosed 27 vulnerabilities across four widely used cloud based password managers that could allow attackers to access credential vaults or alter stored passwords. The affected products and the number of attack scenarios identified in the research include Bitwarden, LastPass, Dashlane, and 1Password. Together, these password managers serve more than 60 million users and around 125,000 businesses. The study focused on 25 password recovery-related attacks, demonstrating proof of concept scenarios rather than confirmed exploitation in real-world incidents.

The vulnerabilities are grouped into four main areas: key escrow, vault encryption, sharing, and backwards compatibility. Key escrow issues affect account recovery flows and include cases where decryption keys could be accessed without authentication, with Bitwarden tied to three scenarios and LastPass to one. Vault encryption weaknesses could allow data to be inferred or manipulated field by field, which in some cases may expose usernames and passwords, affecting LastPass, Bitwarden, and Dashlane. Sharing flaws could let attackers access shared folders or add items to vaults, while backwards compatibility support can enable downgrade attacks, with Dashlane and Bitwarden seeing several issues.

Its also important to note that despite these potential vulnerabilities, the researchers followed a 90 day disclosure process before publication and reported no evidence of exploitation in the wild. Since then, vendors have already shipped multiple fixes: 1Password said its two scenarios reflect architectural limits already covered in its Security Design Whitepaper, Bitwarden said all reported issues have been addressed, and Dashlane and LastPass also published statements outlining their mitigations.