Critical Vulnerabilities Exposed in Major Cloud Password Managers
Researchers from ETH Zurich’s Applied Cryptography Group have uncovered 25 severe security flaws in popular cloud-based password managers, including Bitwarden, LastPass, and Dashlane, which collectively serve around 60 million users worldwide. The findings challenge the long-held assumption of "zero-knowledge encryption" a security model where data remains encrypted even if servers are compromised.
Led by Professor Kenneth Paterson, the team simulated a malicious server threat model, testing how browser extensions responded when servers were compromised. The results revealed client-side vulnerabilities that could allow attackers with server access to view, modify, or delete stored passwords, logins, and sensitive data. Bitwarden was found to have 12 vulnerabilities, LastPass 7, and Dashlane 6, with some flaws enabling full organization vault compromises or unauthorized access via sync manipulation.
Key issues stem from outdated cryptographic practices and user-friendly features like password recovery and sharing, which introduce complexity and expand the attack surface. Doctoral student Matteo Scarlata noted that many vendors rely on 1990s-era encryption to avoid disrupting users or causing downtime, undermining the security guarantees of zero-knowledge architectures.
The vulnerabilities, assigned CVE IDs with CVSS scores ranging from 7.5 to 8.5, include:
- Bitwarden: Unauthorized vault access, integrity violations in shared credentials, and full organization vault compromise.
- LastPass: Password recovery bypass and credential modification attacks.
- Dashlane: Legacy crypto decryption leaks.
The researchers followed responsible disclosure, giving vendors 90 days to address the flaws. While patches are now being rolled out, the findings highlight a critical weakness: even encrypted data can be manipulated if servers are compromised. The incident underscores the need for regular external audits, transparent security practices, and migration to modern cryptographic standards rather than relying on incremental fixes.
Source: https://cyberpress.org/25-flaws-found-in-cloud-password-managers/
LastPass TPRM report: https://www.rankiteo.com/company/lastpass
Bitwarden TPRM report: https://www.rankiteo.com/company/bitwarden1
Dashlane TPRM report: https://www.rankiteo.com/company/dashlane
"id": "daslasbit1771317146",
"linkid": "dashlane, lastpass, bitwarden1",
"type": "Vulnerability",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Cybersecurity',
'name': 'Bitwarden',
'type': 'Password Manager'},
{'industry': 'Cybersecurity',
'name': 'LastPass',
'type': 'Password Manager'},
{'industry': 'Cybersecurity',
'name': 'Dashlane',
'type': 'Password Manager'}],
'attack_vector': 'Malicious Server Threat Model',
'data_breach': {'data_encryption': 'Compromised (zero-knowledge encryption '
'bypass)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (Personally Identifiable '
'Information, credentials)',
'type_of_data_compromised': 'Passwords, logins, sensitive '
'data'},
'description': 'Researchers from ETH Zurich’s Applied Cryptography Group '
'uncovered 25 severe security flaws in popular cloud-based '
'password managers, including Bitwarden, LastPass, and '
'Dashlane, affecting around 60 million users worldwide. The '
"vulnerabilities challenge the 'zero-knowledge encryption' "
'model, allowing attackers with server access to view, modify, '
'or delete stored passwords and sensitive data.',
'impact': {'brand_reputation_impact': 'High',
'data_compromised': 'Stored passwords, logins, and sensitive data',
'identity_theft_risk': 'High',
'operational_impact': 'Potential unauthorized access and '
'manipulation of encrypted data',
'systems_affected': 'Cloud-based password managers (Bitwarden, '
'LastPass, Dashlane)'},
'investigation_status': 'Ongoing (patches being rolled out)',
'lessons_learned': 'Zero-knowledge encryption can be undermined by '
'server-side compromises and outdated cryptographic '
'practices. Regular external audits and modern '
'cryptographic standards are essential.',
'post_incident_analysis': {'corrective_actions': ['Patching vulnerabilities',
'Modernizing encryption '
'standards',
'Enhancing security audits'],
'root_causes': ['Outdated cryptographic practices',
'Complexity introduced by '
'user-friendly features (e.g., '
'password recovery, sharing)',
'Reliance on legacy encryption']},
'recommendations': ['Conduct regular external security audits',
'Adopt modern cryptographic standards',
'Improve transparency in security practices',
'Avoid reliance on incremental fixes'],
'references': [{'source': 'ETH Zurich’s Applied Cryptography Group'}],
'response': {'communication_strategy': 'Responsible disclosure (90-day '
'window)',
'containment_measures': 'Patches rolled out by vendors',
'remediation_measures': 'Addressing vulnerabilities, modernizing '
'cryptographic standards',
'third_party_assistance': 'ETH Zurich’s Applied Cryptography '
'Group'},
'title': 'Critical Vulnerabilities Exposed in Major Cloud Password Managers',
'type': 'Data Breach/Vulnerability Exposure',
'vulnerability_exploited': ['Client-side vulnerabilities',
'Outdated cryptographic practices',
'Password recovery and sharing features',
'Legacy encryption']}