“`html
Experts from ETH Zurich have discovered 25 critical vulnerabilities in three prominent cloud-based password management tools: Bitwarden, LastPass, and Dashlane.
These weaknesses permit a malevolent server to circumvent the claims of zero-knowledge encryption, granting unauthorized access, alteration, and retrieval of users’ saved passwords and vault information.
Bitwarden, LastPass, and Dashlane collectively cater to over 60 million users and possess a substantial market share. The investigation focuses on their client-server communications under a completely hostile server threat model, where servers can deviate indiscriminately from protocols.
Providers claim “zero-knowledge encryption,” suggesting that servers are incapable of accessing plaintext vaults even if breached, yet the researchers reveal repeated lapses in confidentiality and integrity safeguards.
The 25 exploits fall into four categories: key escrow systems, item-level vault encryption flaws, sharing functionalities, and backward compatibility problems.
Key Escrow Exploits
These exploit account recovery and SSO login functionalities, permitting complete vault compromise via unauthenticated keys. Bitwarden’s BW01-BW03 allows malicious auto-enrollment, key rotation, and KC conversion through key substitution upon entering organizations or dialogs. LastPass’s LP01 similarly manipulates password reset vulnerabilities.
Item-Level Encryption Vulnerabilities
Deficient per-item encryption results in integrity breaches, metadata leaks, field swapping, and KDF downgrades. Bitwarden’s BW04-BW07 expose unsecured metadata, swap fields, decrypt icons, and eliminate iterations for brute-force methods. LastPass LP02-LP06 and Dashlane DL01 allow for malleable vaults and replay attacks due to AES-CBC and absent bindings.
Unauthenticated public keys jeopardize organizations and shared vaults. Bitwarden’s BW08-BW09 inject or overwrite organizations; LastPass LP07 and Dashlane DL02 overwrite sharing keys upon entry. Effects expand to team-wide access.
Backward Compatibility Problems
Legacy support triggers downgrades to insecure modes such as CBC. Bitwarden’s BW10-BW12 disable safeguards and overwrite keys; Dashlane’s DL03-DL06 enable injections, KDF removal, and “Lucky 64” after synchronizations. Dashlane patched through extension 6.2544.1.
In Bitwarden, 12 exploits include malicious auto-enrollment (BW01), where unauthenticated organization public keys permit key substitution and complete vault compromise upon joining any group.
LastPass encounters seven challenges, such as inadequate ciphertext integrity with AES-CBC (LP05), allowing malleable vaults and field swapping. Dashlane has six vulnerabilities, such as transaction replay (DL01) due to shared keys across transactions, compromising vault integrity.
| Attack Ref | Product | Cause | Impact | Client Interaction |
|---|---|---|---|---|
| BW01 | Bitwarden | Absence of Key Auth, Key Substitution | Complete vault compromise | 1 join |
| BW02 | Bitwarden | Key Substitution | Complete vault compromise | 1 rotation |
| BW03 | Bitwarden | Absence of Key Auth, Key Substitution | Complete vault compromise | 1 dialog |
| LP01 | LastPass | Absence of Key Auth | Complete vault compromise | 1 login |
| BW04 | Bitwarden | Absence of Auth Enc | Read/modify metadata | – |
| BW05 | Bitwarden | Absence of Key Sep | Field/item swapping | – |
| BW06 | Bitwarden | Absence of Key Sep | Loss of confidentiality | 1 open |
| BW07 | Bitwarden | Absence of Auth Enc | No brute-force defenses | 1 login |
| LP02 | LastPass | Absence of Auth Enc | Field/item swapping | – |
| LP03 | LastPass | Absence of Key Sep | Loss of confidentiality | 1 open |
| LP04 | LastPass | Absence of Auth Enc | No brute-force defenses | 1 login |
| LP05 | LastPass | Absence of Auth Enc | Loss of vault integrity | – |
| DL01 | Dashlane | Absence of Key Sep | Loss of vault integrity | – |
| BW08 | Bitwarden | Absence of Key Auth | Add users to organizations | 1 sync |
| BW09 | Bitwarden | Absence of Key Auth, Key Substitution | Organization compromise | 1 join |
| LP07 | LastPass | Absence of Key Auth | Shared vault compromise | 1 join |
| DL02 | Dashlane | Absence of Key Auth | Shared vault compromise | 1 join |
| BW10 | Bitwarden | Absence of Auth Enc | Downgrade key hierarchy | – |
| BW11 | Bitwarden | CBC Support | Loss of confidentiality | 2 logins |
| BW12 | Bitwarden | CBC Support | Complete vault compromise | 2 logins |
| DL03 | Dashlane | CBC Support | Loss of vault integrity | 104 syncs |
| DL04 | Dashlane | CBC Support | No brute-force defenses | 104 syncs |
| DL05 | Dashlane | CBC Support | Loss of confidentiality | 105 syncs |
| DL06 | Dashlane | CBC Support | No brute-force defenses | 104 syncs |
| LP06 | LastPass | Absence of Auth Enc | Read/modify metadata | – |
Numerous attacks demand minimal interaction, such as a single login or synchronization, exploiting unauthenticated public keys, absent key separation, and outdated AES-CBC support. For example, icon URL decryption leaks (BW06, LP03) expose passwords through client requests. KDF iteration downgrades (BW07, LP04) expedite brute-force attempts by up to 300,000x.
Researchers responsibly disclosed their findings: Bitwarden on January 27, 2025; LastPass on June 4, 2025; Dashlane on August 29, 2025, with 90-day remediation windows.
Bitwarden has initiated fixes for several issues, including minimum KDF iterations and CBC removal; LastPass remedied LP03; Dashlane addressed some CBC vulnerabilities. Suggested mitigations include authenticated encryption (AE), complete key separation (KS), public key authentication (PKA), and ciphertext signing (SC).
Users are encouraged to update clients, enable per-item keys where feasible, and keep track of vendor patches. The examination advocates for formal security models for password managers similar to E2EE cloud storage. Self-hosted implementations remain susceptible if servers are compromised.
“`