ETH Zurich researchers have discovered major security flaws in three popular cloud-based password managers - Bitwarden, LastPass, and Dashlane - which together serve 60 million users[1]. The team demonstrated 25 different attacks that could compromise user passwords, including 12 on Bitwarden, 7 on LastPass, and 6 on Dashlane.
The researchers found they could view and modify stored passwords by setting up servers that mimicked compromised password manager servers[1:1]. These attacks worked through routine user actions like logging in, viewing passwords, or syncing data. “We were surprised by the severity of the security vulnerabilities,” said Professor Kenneth Paterson of ETH Zurich[1:2].
The vulnerabilities stem from complex code designed to enhance user-friendliness, such as password recovery and family sharing features. The providers were given 90 days to fix the security issues before publication[1:3].
The researchers recommend users choose password managers that:
- Are transparent about security vulnerabilities
- Undergo external audits
- Have end-to-end encryption enabled by default[1:4]
Worth being precise about what ETH Zurich actually found: these are server impersonation attacks, not client-side crypto breaks. The threat model requires a malicious or compromised server. Bitwarden’s response is technically accurate — if you trust the server, the cryptography holds.
The uncomfortable part is that ‘trust the server’ is an invisible assumption for most users. There’s no client-side mechanism to verify you’re talking to the legitimate server and not an attacker’s replica. The attacks work precisely because that verification gap exists.
Bitwarden at least publishes their server code, so a sufficiently paranoid user can self-host and close the loop. LastPass and Dashlane don’t give you that option — the trust assumption is mandatory and unverifiable. That’s the actual delta between the three, and the paper undersells it.
true, good point