Researchers from ETH Zurich have discovered 25 serious security vulnerabilities in three major cloud password managers: Bitwarden, LastPass, and Dashlane. Together, these platforms protect more than 60 million users worldwide.
The research examined how these services behave under a fully malicious server model, where the server no longer follows protocol rules. Although vendors advertise “zero-knowledge encryption,” meaning servers cannot access plaintext vault data, the researchers demonstrated multiple ways confidentiality and integrity protections can fail. In several scenarios, a malicious server could access, modify, or fully compromise a user’s vault.
Where the Security Breaks Down
The 25 vulnerabilities fall into four key categories:
- Key escrow and account recovery weaknesses
- Item-level vault encryption flaws
- Sharing feature exploits
- Backward compatibility and downgrade attacks
In key escrow and recovery flows, attackers can substitute unauthenticated public keys. This can result in full vault compromise during actions like logging in, joining an organization, or rotating encryption keys. Some attacks require only a single interaction to succeed.
At the vault level, missing authenticated encryption and improper key separation allow metadata leaks, field swapping, and replay attacks. Use of AES-CBC without proper integrity protection makes encrypted vaults malleable. In some cases, attackers can reduce KDF iterations, accelerating brute-force attacks by up to 300,000 times.
Real-World Impact on Users and Teams
Sharing mechanisms also introduce risk. If public keys are not properly authenticated, attackers can inject themselves into organizations or overwrite sharing keys. This can escalate from a single account compromise to full shared-vault or team-wide exposure.
Backward compatibility with legacy encryption modes such as AES-CBC further enables downgrade attacks. Some vulnerabilities require multiple syncs to trigger, while others succeed after just one login or join request.
Overall, many of these attacks stem from a few core design issues:
- Lack of public key authentication
- Missing key separation
- No authenticated encryption
- Continued support for legacy cryptographic modes
The findings show that even widely trusted password managers can face serious architectural risks if cryptographic boundaries between client and server are not strictly enforced.
The researchers reported the issues responsibly to Bitwarden, LastPass, and Dashlane in 2025, giving each company 90 days to fix them.
Vendor Fixes and Security Improvements
Bitwarden strengthened security by enforcing higher minimum KDF settings and removing older CBC encryption support. LastPass fixed one major vulnerability, and Dashlane patched several CBC-related weaknesses.
The researchers recommend stronger protections such as authenticated encryption, proper key separation, public key verification, and signing encrypted data.
What Users Should Do
Users should keep their password manager updated, enable stronger encryption options where available, and monitor vendor security advisories.
The study also highlights the need for formal security models for password managers, similar to end-to-end encrypted cloud storage systems. Even self-hosted deployments can remain vulnerable if the server itself is compromised.
Leave A Comment