Why are they vulnerable?
Many password managers store passwords in encrypted form in the cloud. The advantage of this is that you can access your passwords across all your devices, no matter where you are. The important bit is that your passwords are encrypted, which guarantees that those passwords are secure against unauthorized access. Even if hackers gain access to the password manager’s servers, the encryption will thwart them.
But Swiss security researchers found vulnerabilities in popular password managers Bitwarden, LastPass, and Dashlane: “[The researchers’] attacks ranged from breaches of the integrity of targeted user vaults to the complete compromise of all vaults of an organization using the service. In most cases, the researchers were able to gain access to the passwords—and even manipulate them.”
The researchers demonstrated 12 attacks on Bitwarden, 7 on LastPass, and 6 on Dashlane. To do this, they set up their own servers that behaved like a hacked password manager server. The researchers then initiated “simple interactions that users or their browsers routinely perform when using the password manager, such as logging into the account, opening the vault, viewing passwords, or synchronizing data.”
The researchers found “very bizarre code architectures,” which were probably created because the companies were trying to “offer their customers the most user-friendly service possible, for example the ability to recover passwords or share their account with family members.”
This not only makes the code architectures more complex and confusing, but ends up increasing the number of potential attack points for hackers. The security researchers warn: “Such attacks don’t require particularly powerful computers and servers, just small programs that can spoof the server’s identity.”
Before publishing their findings, the researchers informed each password manager so they’d have enough time to fix the flaws. They all responded positively, but not all fixed the flaws at the same speed.
