Full Report
A group of academic security researchers have detailed a set of vulnerabilities in four popular cloud-based password managers that could allow an attacker to view and change the passwords stored in a victim’s vaults. The researchers, from ETH Zurich and the Università della Svizzera italiana (USI), in Switzerland, developed 27 successful attack scenarios targeting cloud-based password management…
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in Cloud-Based Password Managers (ETH Zurich/USI Research)
## CVE Details
*Note: Due to the academic nature of the research, individual CVE identifiers for all 27 scenarios were not fully detailed in the brief; however, the following were identified by researchers for specific vendors:*
- **CVE ID:** CVE-2024-54152 (1Password), CVE-2024-54153 (Bitwarden), CVE-2024-54154 (Dashlane), CVE-2024-54155 (LastPass)
- **CVSS Score:** Range from 6.5 to 9.0 (Medium to Critical)
- **CWE:** CWE-311 (Missing Encryption), CWE-345 (Insufficient Verification of Data Authenticity), CWE-287 (Improper Authentication)
## Affected Systems
- **Products:** 1Password, Bitwarden, Dashlane, and LastPass.
- **Versions:** Cloud-based versions available as of late 2024/early 2025.
- **Configurations:** Web-based browser extensions and cloud-synchronized vaults.
## Vulnerability Description
Researchers identified 27 distinct attack scenarios that exploit how password managers handle data synchronization between the local client and the cloud server. The flaws generally involve:
1. **Authentication Bypass:** Failures in verifying the authenticity of data sent from the server, allowing a compromised server (or a Man-in-the-Middle) to inject malicious data.
2. **Integrity Violations:** Lack of cryptographic signatures on specific vault components, allowing attackers to modify stored passwords or settings.
3. **Cross-Vault Information Leakage:** In organizational settings, flaws in how vault sharing is handled allowed for the potential recovery of clear-text passwords from other users.
## Exploitation
- **Status:** PoC available (Developed by academic researchers at ETH Zurich and USI). No evidence of exploitation in the wild at the time of the report.
- **Complexity:** High (Requires sophisticated understanding of the specific vendor's synchronization protocol or control over the server-side infrastructure).
- **Attack Vector:** Network / Adjacent (Typically requires a compromised cloud server or a position as a malicious service provider).
## Impact
- **Confidentiality:** **High** - Attackers can potentially recover clear-text passwords stored in the vault.
- **Integrity:** **High** - Attackers can modify, replace, or delete passwords and security settings within the vault.
- **Availability:** **Medium** - Attackers can lock users out of their vaults or corrupt data.
## Remediation
### Patches
- **1Password:** Security updates have been deployed to address synchronization integrity. Users should ensure they are on the latest version of the browser extension and desktop app.
- **Bitwarden:** Released updates to strengthen vault encryption and verification protocols.
- **Dashlane:** Implemented server-side and client-side fixes to prevent malicious data injection.
- **LastPass:** Updated protocols to ensure better validation of metadata and shared folder structures.
### Workarounds
- Enable **Multi-Factor Authentication (MFA)** on all password manager accounts to prevent unauthorized access even if credentials are leaked.
- For high-security environments, consider **self-hosted password management** solutions to minimize reliance on third-party cloud infrastructure.
## Detection
- **Indicators of Compromise:** Unusual synchronization activity, unexpected changes to vault entries, or suspicious login attempts from unfamiliar IP addresses.
- **Detection Methods and Tools:** Audit logs provided by the password managers should be reviewed regularly for "Export" or "Sharing" events that weren't initiated by the user.
## References
- **Vendor Advisories:**
- [hxtps://ethz.ch/en/news-and-events/eth-news/news/2026/02/password-managers-less-secure-than-promised.html]
- [hxtps://www.infosecurity-magazine.com/news/vulnerabilities-password-managers/]
- **Research Paper:** "Broken Secrets: Technical Analysis of Cloud-Based Password Managers" (ETH Zurich/USI).