Server-side attacks undermine password managers’ ‘zero-knowledge’ assurances

A team from ETH Zurich and USI Lugano shows that provider infrastructure control can defeat many commercial “zero-knowledge” claims, allowing attackers to read or modify vaults when specific features are active. Their analysis produced 25 distinct attacks that target real-world workflows such as account recovery, group sharing, and backward compatibility.

The researchers reverse‑engineered clients and protocol flows for Bitwarden, LastPass, and Dashlane, finding a recurring weakness: critical server-supplied key material and policy data are not authenticated by the client. This allows an adversary who controls the server to substitute attacker-generated public keys or alter recovery modes, producing ciphertext that the attacker can decrypt with the corresponding private key.

Concrete chains include a group-enrollment exploit that replaces a group public key to obtain a new user’s symmetric key, a superadmin-key replacement that targets LastPass Teams flows, and a sharing-channel manipulation that exposes shared-item secrets in Dashlane. Several attacks exploit item-level encryption malleability, where different fields use the same key and ciphertexts can be swapped to force clients to reveal sensitive fields.

The paper also leverages legacy support decisions: clients accept older ciphertext formats to avoid locking out unpatched users, and that backward compatibility enables downgrade and padding-oracle attacks that can reveal plaintext produced under weaker modes such as CBC. One Dashlane chain requires roughly 125 oracle queries to recover a vault item under the crafted scenario.

Another class of high‑impact flaws targets key‑escrow and recovery. When recovery is enabled, clients sometimes send recovery ciphertexts encrypted to organization or admin keys fetched from the server; if those public keys are spoofed by an attacker, the recovery ciphertext becomes decryptable by the adversary, yielding the user key and full vault access.

The researchers further show an unauthenticated server-supplied iteration count for client-side password hashing; clients honor the server-provided count. In tested cases the default parameter can be replaced (from 600,000 iterations down to 2), dramatically reducing the computational work needed to brute-force a master password when an attacker controls the server side of the protocol.

The study emphasizes that full server compromise is a high bar, but plausible against well-resourced adversaries via supply-chain, insider, or targeted breaches. The researchers note the attacks are often feature‑gated; disabling autorecovery, minimizing legacy modes, and authenticating server-supplied keys would block many chains.

Vendors have begun remediations and pushed updates after receiving disclosures; the affected firms emphasize routine audits, red teaming, and bug bounty programs. Still, the paper calls for design changes that shift critical trust decisions into the client and for independent evaluations that include malicious‑server threat models.

This work reframes “zero‑knowledge encryption” as a spectrum rather than a binary guarantee: marketing labels do not replace protocol-level guarantees such as authenticated key distribution, per‑field key separation, and mandatory authenticated encryption. For administrators and security teams, the takeaway is to treat password manager servers as high‑value targets and to limit features that increase server‑driven trust.

• 94 million US adults reported using password managers (≈36% of US adults).
• Top three vendors analyzed serve ≈60 million users collectively.
• Researchers created 25 distinct exploit chains.
• Hashing iteration parameter observed: 600,000 → 2 (server-provided value).
• Dashlane padding-oracle estimate: ≈125 queries to recover ciphertext under the crafted attack.