Researchers find Bitwarden, LastPass, Dashlane zero-knowledge claims broken

Researchers debunk zero knowledge claims

Researchers from ETH Zurich and USI Lugano discovered vulnerabilities in Bitwarden, LastPass, and Dashlane that allow attackers with server access to steal user vaults. This discovery contradicts the "zero-knowledge" marketing used by these companies to assure users their data remains private even during a server-side breach.

The study found that a malicious insider or a hacker who compromises the cloud infrastructure can bypass encryption in several scenarios. These vulnerabilities primarily exist when users enable account recovery, share vaults, or organize into groups. Researchers reverse-engineered the three products and identified 25 distinct attacks that could lead to data theft.

Password managers have become essential security tools for 94 million US adults, or roughly 36 percent of the population. These tools store highly sensitive information including financial credentials, cryptocurrency keys, and payment card numbers. Bitwarden, Dashlane, and LastPass alone protect the data of approximately 60 million people.

Most top-tier password managers use the term "zero knowledge" to describe their security architecture. This marketing implies that the service provider has no way to access user data even if they wanted to. The research shows these claims are not technically accurate when certain features are active.

Recovery features create security holes

The most severe vulnerabilities involve the key escrow mechanisms used for account recovery. In Bitwarden, an attacker can exploit the process of enrolling a new member into a family or organization. When a group admin invites a new user, the server provides a group public key that the client uses to encrypt a symmetric key.

The Bitwarden client fails to perform an integrity check on this data when it arrives from the server. An adversary can replace the legitimate group public key with their own keypair. Once the invitee accepts the invitation, the adversary can decrypt the resulting ciphertext and gain full access to the member's vault.

This attack typically requires the admin to enable autorecovery mode, which bypasses user interaction. However, because the client does not verify group policies downloaded from the server, an attacker can force the system into auto mode. This allows the adversary to read and modify the entire contents of the vault immediately.

The researchers noted that this flaw can spread through an organization like a worm. If a compromised member belongs to multiple groups, the attacker obtains the symmetric keys for those groups as well. Any organization with key recovery enabled and overlapping members becomes vulnerable to the same vault theft.

LastPass and Dashlane sharing flaws

LastPass suffers from a similar flaw in its Teams and Business versions during master key resets. When a superadmin triggers a reset, the member's browser extension retrieves an RSA keypair to encrypt the new key. Because LastPass does not authenticate these superadmin keys, an attacker can substitute their own public key to intercept the vault credentials.

The LastPass client queries the server at every login to fetch a list of admin keys. It then sends account recovery ciphertexts regardless of whether the user is currently enrolled in a reset process. This behavior creates a persistent window for a compromised server to harvest keys from unsuspecting users.

Dashlane vulnerabilities appear when users share specific items or folders with others. When a user shares an item, the client generates a new RSA keypair that is not authenticated by the system. An adversary can supply their own keypair and use the public key to encrypt the shared data.

By using the corresponding secret key, the attacker can recover the shared symmetric key to read or modify all shared items. The researchers confirmed that Bitwarden and LastPass are susceptible to nearly identical attacks on their sharing features. These flaws turn a convenience feature into a direct path for data exfiltration.

Legacy support weakens modern security

All three password managers maintain backward compatibility for older, less secure versions of their software. This decision prevents users on outdated apps from losing access to their data, but it introduces significant security regressions. Attackers can force modern clients to use deprecated encryption schemes that lack proper integrity checks.

Bitwarden previously used a single symmetric key for vault items before moving to authenticated encryption with HMAC hash functions. To support older versions, the system uses an attribute to toggle between the old and new schemes. An attacker can forge server responses to force the client into using the unauthenticated Cipher Block Chaining (CBC) mode.

Researchers also found that servers can manipulate the number of hashing iterations used to protect master passwords. Bitwarden and LastPass use a default of 600,000 iterations to make brute-force attacks difficult. A compromised server can tell the client to use only 2 iterations, reducing the effort required to crack a password by 300,000 times.

The research highlighted several critical weaknesses across the industry:

• Vault malleability allows attackers to swap encrypted fields within a vault.
• Padding oracle attacks can be used to convert ciphertext into plaintext over time.
• Unauthenticated public keys enable man-in-the-middle attacks by the service provider.
• Iteration downgrades make master passwords vulnerable to rapid cracking.
• Lack of integrity checks on server-provided configurations allows for policy manipulation.

Swapping fields to steal passwords

A specific attack called "vault malleability" allows an adversary to steal passwords by manipulating individual fields. Password managers often encrypt fields like URLs and passwords separately using the same key. An attacker can replace the ciphertext in the URL field with the ciphertext from the password field.

When the client attempts to display a website icon, it decrypts the URL field and sends the result to the server. Because the fields were swapped, the client unknowingly decrypts the password and sends it directly to the attacker's server. This exploit works because the client does not verify that the decrypted data matches the intended field type.

This vulnerability exists because many managers use "item-level encryption" rather than encrypting the entire vault as a single block. "A crypto audit should spot it, but only if you’re thinking about malicious servers," said co-author Kenny Paterson. He noted that developers often fail to write client software defensively against their own servers.

The researchers estimated that some attacks, like the one against Dashlane, would take significant time to execute. A malicious server would need roughly 125 days of interaction to decrypt a vault using a padding oracle attack. However, other attacks involving key replacement are instantaneous and require no brute force.

Industry response and the future of zero knowledge

The companies involved have patched many of the reported vulnerabilities since receiving the research findings. Bitwarden, LastPass, and Dashlane representatives argued that the "malicious server" threat model represents a very high bar for attackers. They emphasized that their products undergo regular third-party audits and red-team exercises to maintain security.

1Password, which was also mentioned in the research, stated that its security team found no new attack vectors in the paper. The company pointed to its own Security Design White Paper, which already acknowledges that a compromised server could provide dishonest public keys. 1Password maintains that its architecture is designed to evolve against these advanced threats.

The term "zero knowledge" remains a point of contention between researchers and marketers. The phrase was originally a specific cryptographic term for proving knowledge without revealing the information itself. In the password manager industry, it has become a marketing label that often lacks a standardized technical definition.

Lead author Matteo Scarlata described the term as "marketing hype" similar to "military-grade encryption." He noted that LastPass told researchers they do not internally adopt a malicious server threat model. This disconnect suggests that users should remain cautious about the absolute privacy promises made by cloud-based security providers.