[…]The team, comprised of researchers from ETH Zurich and Università della Svizzera italiana (USI), examined the “zero-knowledge encryption” promises made by Bitwarden, LastPass, and Dashlane, finding all three could expose passwords if attackers compromised servers.
The premise of zero-knowledge encryption is that user passwords are encrypted on their device, and the password manager’s server acts merely as a dumb storage box for the encrypted credentials. Therefore, in the event that the vendor’s servers are controlled by malicious parties, attackers wouldn’t be able to view users’ secrets.
As one of the most popular alternatives to Apple and Google’s own password managers, which together dominate the market, the researchers found Bitwarden was most susceptible to attacks, with 12 working against the open-source product. Seven distinct attacks worked against LastPass, and six succeeded in Dashlane.
The attacks don’t exploit weaknesses in the same way that remote attackers could exploit vulnerabilities and target specific users. Instead, the researchers worked to test each platform’s ability to keep secrets safe in the event they were compromised.
In most cases where attacks were successful, the researchers said they could retrieve encrypted passwords from the user, and in some cases, change the entries.
They used a malicious server model to test all of this – setting up servers that behaved like hacked versions of those used by the password managers. Seven of Bitwarden’s 12 successful attacks led to password disclosure, whereas only three of LastPass’s attacks led to the same end, and one for Dashlane.
All three vendors claim their products come with zero-knowledge encryption. The researchers noted that none of them outline the specific threat model their password manager secures against.
The researchers said: “The majority of our attacks require simple interactions which users or their clients perform routinely as part of their usage of the product, such as logging in to their account, opening the vault and viewing the items, or performing periodic synchronization of data.
“We also present attacks that require more complex user actions, such as key rotations, joining an organization, sharing credentials, or even clicking on a misleading dialog. Although assessing the probability of these actions is challenging, we believe that, within a vast user base, many users will likely perform them.”
In the full paper [PDF], they went on to argue that password managers have escaped deep academic scrutiny until now, unlike end-to-end encrypted messaging apps. It is perhaps due to a perception that password managers are simple applications – deriving keys and then encrypting them. However, their codebases are more complex than that, often offering features such as the ability to share accounts with family members and featuring various ways to maintain backward-compatibility with older encryption standards.
Kenneth Paterson, professor of computer science at ETH Zurich, said “we were surprised by the severity of the security vulnerabilities” affecting the password managers.
“Since end-to-end encryption is still relatively new in commercial services, it seems that no one had ever examined it in detail before.”
[…]
Source: Password managers don’t protect secrets if pwned • The Register
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft