"For years, password managers have been promoting themselves as secure vaults that even the provider cannot access. This zero-knowledge principle is intended to reassure users that their most sensitive data will remain protected even in the event of a server breach. However, new academic research casts serious doubt on this promise. Researchers at ETH Zurich and USI Lugano analyzed several popular password managers and concluded that the claim that providers cannot see users' vaults does not always hold true."
"In specific configurations, someone with server access, for example, after a hack or through abuse of administrative rights, can still view data and sometimes even take over entire vaults. These are not exotic edge cases, but functions that many organizations use. The study focused on Bitwarden, Dashlane, and LastPass, among others. According to Ars Technica, these managers together account for tens of millions of users. These services publicly state that no one can access stored data without a master password."
"A major problem lies in the way account recovery is set up. In some products, cryptographic keys are exchanged when adding new users or recovering accounts, without their integrity being properly verified. An attacker who can manipulate the server can replace those keys with their own. This makes it possible to decrypt encrypted data later. The researchers emphasize that this is not about breaking strong encryption, but about abusing the processes surrounding it."
Analysis by teams at ETH Zurich and USI Lugano found that zero-knowledge claims of many popular password managers can fail under typical configurations. Features such as account recovery, group sharing, and support for older clients create exploitable attack vectors. Server-side access, whether from hacks or abused administrative rights, can enable viewing or takeover of entire vaults. The core weakness involves protocol and process flaws like exchanging cryptographic keys without proper integrity verification. These problems do not involve breaking encryption algorithms but rather abusing recovery and sharing mechanisms that remain widely used.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]