Security experts from ETH Zurich and the Università della Svizzera italiana in Lugano have identified notable flaws in well-known password storage tools like Bitwarden, LastPass, and Dashlane, suggesting they fall short of assumed protection levels.
According to the study, these tools contain critical weaknesses that allowed testers to access and alter saved credentials. The report notes that during evaluations, investigators could inspect and modify encrypted user data.
These services typically keep user credentials in protected format on remote servers, enabling seamless retrieval from various gadgets regardless of location. This setup relies on robust encryption to prevent illicit entry, ensuring that even server compromises fail to expose the secrets.
However, the Swiss team uncovered issues in Bitwarden, LastPass, and Dashlane that enabled exploits from partial user storage tampering to total takeover of group-wide collections. Most scenarios permitted direct retrieval and editing of sensitive information.
The investigation showcased 12 exploits against Bitwarden, seven targeting LastPass, and six aimed at Dashlane. Experimenters simulated compromised backend systems and provoked the flaws through everyday actions, including account sign-ins, vault openings, credential displays, and data syncing performed by users or web browsers.
Examiners pointed out unusual programming structures in these applications, likely stemming from efforts to enhance usability, such as facilitating credential recovery or family account sharing. Such designs introduce added layers of intricacy, creating extra opportunities for malicious intrusions.
The analysts cautioned that executing these threats demands no advanced hardware—merely basic scripts capable of mimicking legitimate server responses.
Prior to releasing the report, the team notified the affected companies, granting them time to address the problems. All acknowledged the issues constructively, though the pace of remedies differed among them.
The underlying cause, per the experts, involves developers' hesitation to deploy updates, concerned about potential disruptions to user access for credentials and files. This affects vast user bases, including numerous personal accounts and business operations fully dependent on the platforms, where data inaccessibility could prove disastrous. As a result, some rely on obsolete encryption methods from decades ago.
To resolve this, the study advocates implementing modern encryption standards beginning with fresh sign-ups. Current users would then have the option to shift to the upgraded, safer framework or continue with the legacy version, fully informed of its risks.
The team emphasized no urgent threats exist and expressed confidence that the services remain untainted by malice for now, keeping data protected. Still, these platforms attract significant hacker interest, and incidents happen periodically.
Prospective users ought to select services that transparently report risks, undergo independent reviews, and activate full encryption by standard settings.