Vulnerabilities in Cloud-Based Password Managers

IT security researchers at ETH Zurich have examined three popular password managers in detail. They discovered several security vulnerabilities. However, their exploitation requires the complete compromise of the servers, so according to one manufacturer, the risk is only medium to low. Many vulnerabilities have apparently been patched for a long time.

In their research paper, which the Swiss IT researchers will present at the "Usenix Security 2026" conference, they discuss in more detail how they confronted Bitwarden with twelve attacks (initially ten, later split into twelve), LastPass with seven, and Dashlane with six attacks. The selection was based on user numbers. Together, these password managers have more than 60 million users and a market share of 23 percent. "The severity of the attacks ranges from integrity violations of targeted user vaults to the complete compromise of all vaults associated with an organization. In most attacks, passwords can be recovered," explain the IT researchers. This breaks the zero-knowledge principle, end-to-end encryption (E2EE), thereby enabling unauthorized access to passwords.

The attacks generally require fully compromised server infrastructure, where attackers control network responses, as well as user interaction. In January of last year, the IT security analysts confronted the manufacturers with the results and allowed a 90-day period for responsible disclosure. However, the providers needed more time to fix the vulnerabilities, and some do not consider them to be problems that need fixing.

Security vulnerabilities already patched

The affected manufacturers, in turn, reacted with publications about the vulnerabilities. Bitwarden explains in a blog post that "all issues identified in the report have been resolved by the Bitwarden team." The developers have also compiled a comprehensive 35-page report with a summary, their own analysis, and the solutions to the reported problems; nine pages cover their own analysis. "Seven issues have been or are currently being actively addressed, while three have been accepted as conscious design decisions necessary for product functionality," explain the developers there regarding the vulnerabilities originally reported as ten, which were later split further.

Dashlane writes in a blog post that the developers have also reviewed the research findings and "distributed bug fixes where appropriate." The bug fix was distributed on November 5, 2025, starting with version 6.2544.1 of the Dashlane extension. They add: "It is important to note that exploiting this issue would require a complete compromise of a password manager's servers, coupled with extremely capable attackers able to perform cryptographic attacks, and an extremely long timeframe."

LastPass also reacts with a blog post. According to the post, the developers have already fixed an issue with icon and URL handling and are currently working on password strength improvements. Further changes are planned for account recovery and password sharing. The integrity of password vaults and the protection of metadata are also on the to-do list.

All manufacturers emphasize that this is a hypothetical scenario and no such exploits have been observed in the wild. There is also no immediate concrete need for action. They unanimously thank the IT researchers for their work and the submitted results.

Last December, the BSI also scrutinized password managers. Although the IT security authority found potential for improvement, there is no reason to stop using them.

(dmk)