"Several types of attacks were conducted against each of the tested password managers to degrade security guarantees, undermine expected protections, and fully compromise user accounts. The experts targeted features used for account recovery and SSO login, as well as features designed for backward compatibility. They conducted attacks leveraging improper vault integrity and attacks enabled by sharing features, which allow families or businesses to use the same credentials."
"A team of security researchers from ETH Zurich in Switzerland has analyzed popular password managers and identified ways in which threat actors could compromise users' vaults and access sensitive data. However, the researchers did not test the password managers against external or client-side attacks. Instead they targeted zero-knowledge encryption, a security model where the service provider is unable to access the user's encrypted data and the data should be protected even if the provider's servers are compromised."
A team of security researchers from ETH Zurich analyzed popular cloud-based password managers under the assumption that the servers storing user vaults are fully malicious. The analysis focused on Bitwarden, Dashlane, LastPass, and 1Password, with primary attention on the first three. Multiple attack classes targeted account recovery, single sign-on, backward-compatibility features, vault integrity, and sharing mechanisms used by families and businesses. The attackers demonstrated vault compromise across all tested products, achieving full vault compromise for Bitwarden and LastPass and shared-vault compromise for Dashlane. Attack scenarios allowed attackers to view and modify credentials. Several vendors noted that many attacks require full compromise of service servers.
#password-managers #zero-knowledge-encryption #server-side-compromise #vault-compromise #account-recovery-and-sso
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]