ETH Zurich researchers report vulnerabilities in LastPass, Bitwarden and Dashlane enabling "practical attacks"
ETH Zurich researchers report vulnerabilities in LastPass, Bitwarden and Dashlane enabling "practical attacks" – ETH Zurich and Universita della Svizzera Italiana researchers analysed or reverse‑engineered LastPass, Bitwarden and Dashlane – The team found "a cornucopia of practical attacks" and said
ETH Zurich researchers report vulnerabilities in LastPass, Bitwarden and Dashlane enabling "practical attacks"
– ETH Zurich and Universita della Svizzera Italiana researchers analysed or reverse‑engineered LastPass, Bitwarden and Dashlane
– The team found "a cornucopia of practical attacks" and said the majority of devised attacks allow recovery of passwords
– Several attacks exploit password managers' key escrow mechanisms used for invites or forgotten‑access resets
– Clients bundle generated keys, encrypt them locally, and send ciphertext to servers that the researchers found is not always integrity‑checked
– An attacker could swap keys sent to a client to extract a shared vault key, enabling account recovery or decryption/modification of shared items
– Researchers also examined attacks related to backward‑compatibility with older versions and a threat model where the server is "fully malicious"
@Games
– ETH Zurich and Universita della Svizzera Italiana researchers analysed or reverse‑engineered LastPass, Bitwarden and Dashlane
– The team found "a cornucopia of practical attacks" and said the majority of devised attacks allow recovery of passwords
– Several attacks exploit password managers' key escrow mechanisms used for invites or forgotten‑access resets
– Clients bundle generated keys, encrypt them locally, and send ciphertext to servers that the researchers found is not always integrity‑checked
– An attacker could swap keys sent to a client to extract a shared vault key, enabling account recovery or decryption/modification of shared items
– Researchers also examined attacks related to backward‑compatibility with older versions and a threat model where the server is "fully malicious"
@Games