惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
小众软件
小众软件
博客园_首页
博客园 - 聂微东
V
V2EX
WordPress大学
WordPress大学
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
罗磊的独立博客
酷 壳 – CoolShell
酷 壳 – CoolShell
博客园 - 司徒正美
博客园 - 三生石上(FineUI控件)
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
S
SegmentFault 最新的问题
J
Java Code Geeks
Last Week in AI
Last Week in AI
The Cloudflare Blog
月光博客
月光博客
雷峰网
雷峰网
宝玉的分享
宝玉的分享
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Hugging Face - Blog
Hugging Face - Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
有赞技术团队
有赞技术团队
人人都是产品经理
人人都是产品经理
博客园 - Franky
腾讯CDC
Jina AI
Jina AI
博客园 - 叶小钗
大猫的无限游戏
大猫的无限游戏
阮一峰的网络日志
阮一峰的网络日志
量子位
爱范儿
爱范儿
美团技术团队
T
Tailwind CSS Blog
博客园 - 【当耐特】
D
Docker
IT之家
IT之家
V
Visual Studio Blog
P
Proofpoint News Feed
L
LangChain Blog
Engineering at Meta
Engineering at Meta
C
Check Point Blog
G
Google Developers Blog
Google DeepMind News
Google DeepMind News
云风的 BLOG
云风的 BLOG
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Microsoft Azure Blog
Microsoft Azure Blog
B
Blog RSS Feed
Recorded Future
Recorded Future

www.infosecurity-magazine.com

Just Three Ransomware Gangs Accounted for 40% of Attacks Last Month Google Chrome Rolls Out Protection Against Infostealers Targeting Session Cookies STX RAT Targets Finance Sector With Advanced Stealth Tactics Bitcoin Depot Reports $3.6m Crypto Theft After System Breach Atomic Stealer MacOS ClickFix Attack Bypasses Apple Security Warnings Middle East Hack-for-Hire Operation Traced to South Asian Cyber Espionage Group Governance Gaps Emerge as AI Agents Drive 76% Increase in NHIs Google Warns of New Threat Group Targeting BPOs and Helpdesks Google API Keys Quietly Gain Access to Gemini on Android Devices Critical Vulnerability in Ninja Forms Exposes WordPress Sites Anthropic Launches Project Glasswing to Use AI to Find and Fix Critical Software Vulnerabilities US Thwarts DNS Hijacking Network Controlled by Russian APT28 Hackers Claude Discovers Apache ActiveMQ Bug Hidden for 13 Years Iran‑Backed Threat Actors Hit US CNI Providers via Internet‑Facing OT Assets Russian APT28 Hackers Hijack Routers to Steal Credentials, UK Security Agency Warns GPU Rowhammer Attack Enables Privilege Escalation and Full System Compromise GrafanaGhost Exploit Bypasses AI Guardrails for Silent Data Exfiltration Over $17bn Lost to Cyber Fraud in the Last Year, Warns FBI Storm-1175 Exploits Flaws in High-Velocity Medusa Attacks Fortinet Releases Emergency Patch After FortiClient EMS Bug Is Exploited New Phishing Platform Used in Credential Theft Campaigns Against C-Suite Execs New 'Storm' Infostealer Remotely Decrypts Stolen Credentials NCSC Issues Security Alert Over Hackers Targeting WhatsApp and Signal Accounts Apple Expands iOS 18 Security Updates Amid DarkSword Threat Researchers Observe Sub-One-Hour Ransomware Attacks GitHub Used as Covert Channel in Multi-Stage Malware Campaign Most CNI Firms Face Up to £5m in Downtime from OT Attacks Google Introduces Android Dev Verification Amid Openness Debate New Venom Stealer MaaS Platform Automates Continuous Data Theft Chinese Hackers Target European Governments in Espionage Campaigns Eight in 10 UK Manufacturers Hit by Cyber Incident in a Year Hackers Hijack Axios npm Package to Spread RATs Maryland Man Charged Over $53m Uranium Finance Crypto Hack Phantom Project Bundles Infostealer, Crypter and RAT For Sale ChatGPT Security Issue Enabled Data Theft via Single Prompt TeamPCP Explores Ways to Exploit Stolen Supply Chain Secrets Employee Data Breaches Surge to Seven-Year High NCSC Urges Immediate Patching of F5 BIG-IP Bug Cybercriminals Exploit Tax Season With New Phishing Tactics Lloyds IT Glitch Exposed Data of Nearly 500,000 Banking Customers DeepLoad Malware Combines ClickFix With AI-Generated Code to Avoid Detection Critical Citrix NetScaler Vulnerability Exploited in the Wild ICO Fines UK Nuisance Call Scammers £100,000 European Commission Confirms Cloud Data Breach New Wave of AiTM Phishing Targets TikTok for Business TeamPCP Targets Telnyx Package in Latest PyPI Software Supply Chain Attack Quantum Computing Threat to Encryption Is Closer Than Expected, Warns Google UK Cracks Down on Chinese Crypto Marketplace for Funding Southeast Asia Scam Hubs Security Researchers Sound the Alarm on Vulnerabilities in AI-Generated Code Attackers Rapidly Weaponize Critical Oracle WebLogic RCE, Honeypot Study Finds EtherRAT Techniques Bypass Security Via Ethereum Smart Contracts AI Becomes the Top Cybersecurity Priority for Defenders as Criminals Exploit It, PwC Warns OpenAI Expands Bug Bounty to Cover AI Abuse and 'Safety' Concerns Iran-Linked Pay2Key Ransomware Group Re-Emerges Invoice Fraud Costs UK Construction Sector Millions, NCA Warns Cloud Phones Linked to Rising Financial Fraud Threat Hackers Exploit Compromised Enterprise Identities at Industrial Scale, Warns SentinelOne US: FCC Bans Foreign-Made Routers Over National Security Concerns TeamPCP Expands Supply Chain Campaign With LiteLLM PyPI Compromise Experts Sound Alarm Over “Prompt Poaching” Browser Extensions Operation Henhouse Nets Over 500 Arrests in UK Fraud Crackdown RSA Conference: UK NCSC Head Urges Industry to Develop Vibe Coding Safeguards Silver Fox Cyber Campaigns Show Shift Toward Dual Espionage Citrix Urges Immediate Patching for Critical NetScaler Vulnerabilities New Npm 'Ghost Campaign' Uses Fake Install Logs to Hide Malware Former Ukrainian Foreign Minister Dmytro Kuleba to Address the New Cyber Frontline at Infosecurity Europe Enterprise Cybersecurity Software Fails 20% of the Time, Warns Absolute Security Russian Initial Access Broker Handed 81-Month Sentence Handala Group Tied to Iranian Hack‑and‑Leak Operations, FBI Reveals Most Cybersecurity Staff Don’t Know How Fast They Could Stop a Cyber-Attack on AI Systems Tycoon2FA Phishing Service Resumes Activity Post-Takedown High-Tech Sector Overtakes Finance as Top Target for Cyber-Attacks, Mandiant Reports Trivy Supply Chain Attack Expands With New Compromised Docker Images CISA Orders US Government to Patch Maximum Severity Cisco Flaw Operation Alice Takes Down 370,000+ Dark Web Sites Hackers Exploit Critical Langflow Bug in Just 20 Hours NCA Boss Warns That Teens Are Being “Radicalized” Into Cybercrime Online Ransomware Affiliate Exposes Details of 'The Gentlemen' Operation Financial Brands Targeted in Global Mobile Banking Malware Surge FCA Updates Cyber Incident and Third-Party Reporting Rules AWS Warns Hackers Have Abused Cisco Firewall Zero-Day Since January UK: Regulation Drives Cyber Spending for Critical Infrastructure Orgs New Ubuntu Flaw Enables Local Attackers to Gain Root Access Crypto Scam "ShieldGuard" Dismantled After Malware Discovery AI-Enabled Adversaries Compress Time-to-Exploit Following Vulnerability Disclosure Vidar Stealer 2.0 Exploits GitHub, Reddit to Deliver Malware via Fake Game Cheats AI Issues Will Drive Half of Incident Response Efforts by 2028, Says Gartner Android OS-Level Attack Bypasses Mobile Payment Security 'CursorJack’ Attack Path Exposes Code Execution Risk in AI Development Environment Surge in Nation State Attacks on UK Firms Amid Cyber Warfare Fears Aeternum Botnet Shifts Command Control to Polygon Blockchain Leading Semiconductor Supplier Advantest Hit by Ransomware Attack Remcos RAT Expands Real-Time Surveillance Capabilities SMEs Wrong to Assume They Won’t Be Hit by Cyber-Attacks, NCSC Boss Warns Google Warns of In the Wild Exploit as It Patches New Chrome Zero Day Phorpiex Phishing Delivers Low-Noise Global Group Ransomware BridgePay Confirms Ransomware Attack, No Card Data Compromised New Hacking Campaign Exploits Microsoft Windows WinRAR Vulnerability Labyrinth Chollima Evolves into Three North Korean Hacking Groups Google Disrupts Extensive Residential Proxy Networks
Vulnerabilities in Password Managers Allow Hackers to View and Change Passwords
2026-02-16 · via www.infosecurity-magazine.com

A group of academic security researchers have detailed a set of vulnerabilities in four popular cloud-based password managers that could allow an attacker to view and change the passwords stored in a victim’s vaults.

The researchers, from ETH Zurich and the Università della Svizzera italiana (USI), in Switzerland, developed 27 successful attack scenarios targeting cloud-based password management services from Bitwarden, LastPass, Dashlane and 1Password.

The attacks ranged in severity from integrity violations to the complete compromise of all vaults in an organization, with many of these scenarios allowing attackers to recover passwords.

These attack scenarios challenged the password management providers’ claims of offering ‘zero-knowledge encryption,’ which conveys the idea that the server storing the user vaults cannot learn anything about its contents, even if it is compromised.

The findings were published in a peer-reviewed paper released on February 16 and will be the subject of a talk at the next USENIX Security Symposium, which will be held in Baltimore, MD in August 2026.

Attacking End-to-End Encryption Claims

The 27 attack scenarios developed by the researchers revealed common design anti-patterns and cryptographic misconceptions, including unauthenticated public keys, lack of ciphertext integrity, insufficient key separation and missing cryptographic binding between data and metadata.

They fell into four categories based on the password manager feature they exploited:

  • Key escrow: full vault compromise via unauthenticated key escrow and account recovery features (four successful attacks: three against Bitwarden, one against LastPass)
  • Vault encryption: integrity violations, metadata leakage, field swapping and key derivation function (KDF) downgrade through flawed item-level encryption (11 successful attacks: five against LastPass, four against Bitwarden, one against Dashlane and one against 1Password)
  • Sharing: organization and shared vault compromise via unauthenticated public keys (five successful attacks: two against Bitwarden, one against LastPass, one against Dashlane, one against 1Password)
  • Backwards compatibility: downgrade to insecure legacy encryption, enabling confidentiality loss and brute-force attacks (seven successful attacks: four against Dashlane, three against Bitwarden)

In total, the researchers presented 12 distinct attack scenarios against Bitwarden, seven against LastPass, six against Dashlane and two against 1Password.

They noted that, unlike the other three password managers, 1Password includes a high-entropy cryptographic key in the key derivation – which the company calls a “secret key” – alongside the master password a user needs to access its vaults and passwords.

This grants 1Password with a security advantage and means “brute-force attacks should be out of reach,” the researchers added.

Kenneth Paterson, professor at ETH Zurich’s Department of Computer Science and one of the lead authors of the paper, said that he and his colleagues were “surprised by the severity of the security vulnerabilities.”

He explained that his team had already discovered similar vulnerabilities in other cloud-based services but had assumed a significantly higher standard of security for password managers due to the critical data they store.

“Since end-to-end encryption is still relatively new in commercial services, it seems that no one had ever examined it in detail before,” he said.

Malicious Auto-Enrolment Against Bitwarden

An example of an attack developed by the researchers was a ‘malicious auto-enrolment’ attack against a cloud-based Bitwarden vault (BW01).

This exploited a critical flaw in Bitwarden’s organization onboarding process, where an adversary controlling the server could silently hijack a user’s vault the moment they accepted an invitation, even from a trusted source.

The core issue was in the lack of integrity protection for organization data fetched during onboarding, including policies and cryptographic keys. When a user joins an organization, their client blindly trusts the server’s response, allowing an attacker to manipulate it.

By enabling auto-enrolment in the account recovery policy and swapping the organization’s legitimate public key with their own, an attacker could force the client to encrypt the user’s master key under the malicious key, handing it over without resistance.

The attack unfolds in three key steps.

  1. The adversary intercepts the user’s request to join the organization, replacing the server’s response with a tampered policy (setting auto-enrolment to true) and a forged public key
  2. The client, unaware of the deception, encrypts the user’s master key under the attacker’s key and sends it back as an ‘account recovery ciphertext’
  3. Finally, the attacker decrypts this ciphertext using their private key, exposing the master key

With the user’s master key in hand, the attacker could gain full access to all stored passwords, notes, and sensitive data, as well as the ability to modify or delete entries undetected.

The impact can be severe: a single compromised server can lead to the mass compromise of users, even if they join legitimate, trusted organizations.

Worse, the attack scales exponentially. If an attacker breaches one user in an organization, they gain access to the organisation’s private key, which could be shared among several members of their team.

Remediation Underway at Bitwarden, LastPass and Dashlane

The researchers disclosed their findings to Bitwarden, LastPass and Dashlane through a coordinated 90-day disclosure process that included detailed descriptions of all vulnerabilities.

They also offered support through video conferences, email exchanges and patch review.

All three vendors notified the researchers that remediation of these vulnerabilities is underway.

1Password, also made aware of the two attack scenarios performed by the researchers against their services, did not request an embargo period but said the company regards the vulnerabilities as “arising from already known architectural limitations.”

Jacob DePriest, CISO/CIO at 1Password told Infosecurity that the firm's security team reviewed the paper in depth and found no new attack vectors beyond those already documented in their  publicly available Security Design White Paper

He also explained that 1Password regularly evaluates the company's security architecture against advanced threat models, including malicious-server scenarios like those described in the research, and evolve it when needed.

"For example, 1Password uses secure remote password (SRP) to authenticate users without transmitting encryption keys to our servers, helping mitigate entire classes of server-side attacks. More recently, we introduced a new capability for enterprise-managed credentials, which from the start are created and secured to withstand sophisticated threats," DePriest added.

Dashlane shared a blog post addressing the paper’s findings and detailing a fix the firm deployed to mitigate the issue.

LastPass said the company was "grateful" for the research.

"While our own assessment of these risks may not fully align with the severity ratings assigned by the ETH Zurich team, we take all reported security findings seriously," a LastPass spokesperson told Infosecurity.

"We have already implemented multiple near‑term hardening measures while also establishing plans to remediate or reinforce the relevant components of our service on a timeline commensurate with the assessed risk.”

The ETH Zurich researchers noted that they have “no reason to believe” that the password manager vendors are currently malicious or compromised and that passwords “are safe as long as things stay that way.”

“That said, password managers are high-value targets, and breaches do happen,” the researchers added.

Additionally, a Dashlane spokesperson told Infosecurity it found no evidence of exploitation related to these issues. 

Mitigation Recommendations

In the scientific paper, the researchers said their attacks can all be mitigated using a combination of authentication methods, such as authentication encryption, key separation, plaintext authentication, public key authentication and ciphertext authentication.

Users of Bitwarden, LastPass or Dashlane are advised to check the remediation status of their providers.

Users of other password managers can see if their passwords could be compromised by similar attacks by asking their providers to commission an audit or asking the following questions:

  • Do you offer end-to-end encryption? What security do you provide in case your server infrastructure was to be compromised?
  • How do you check that public keys and public-key ciphertexts are authentic?
  • How do you authenticate security-critical settings, such as the KDF type and the iteration count?
  • Do you provide integrity guarantees for a user's vault as a whole? Can a malicious server add items to your vault?

The article was updated on February 17 to add comments from 1Password and Dashlane and on February 18 to add comments from LastPass.

Read now: Five Ways to Dramatically Reduce the Risk of Password Compromise