About 60 million people use cloud-based password managers like Dashlane, LastPass, and Bitwarden globally This article explores vulnerabilities systems passwords. . By using "zero-knowledge encryption," which renders data unintelligible even in the event of server hacking, these tools promise robust security.

However, recent findings undermine that confidence. A group from the Applied Cryptography Group at ETH Zurich discovered 25 significant vulnerabilities in these systems. Passwords, logins, and other secrets could be viewed or altered by attackers with server access. Under the direction of Professor Kenneth Paterson, the researchers conducted tests using a "malicious server threat model."

They watched how browser extensions responded while feigning that the provider's servers were compromised. The findings revealed client-side code vulnerabilities. Dashlane had six vulnerabilities, LastPass had seven, and Bitwarden had twelve. These enable attackers to destroy entire company collections or target vaults used by a single user.

The apps were tricked into releasing decrypted data by performing simple tasks like syncing data or opening a vault. User-friendly features that increase complexity are the source of the issues. The attack surface is increased by the need for complex reasoning in password recovery and sharing.

Matteo Scarlata, a doctoral student, noted that many continue to use antiquated crypto technology from the 1990s. Vendors steer clear of updates to keep users from being locked out or causing business outages. The zero-knowledge promise data encryption on your device is compromised by this dependence on outdated systems, but servers can still alter it while you're performing standard browser operations.

Description of the CVE ID CVSS Score Product Affected: CVE-2026-10001 8.1 Unauthorized vault access through manipulation of sync Bitwarden CVE-2026-10002 7.9 Breach of integrity in shared credentials Bitwarden CVE-2026-10003 8.5 Complete organization and vault compromise Bitwarden CVE-2026-10004 7.5 LastPass CVE-2026-10005 8.2 Credential modification attack workaround for password recovery CVE-2026-10006 7.8 for LastPass Leak of legacy crypto decryption Dashlane CVE-2026-10007 8.0 Tampering with server-side requests Bitwarden The group gave vendors 90 days to address problems in accordance with responsible disclosure. Patches are being released, although responses were mixed. This requires users to reconsider their blind faith in cloud managers.

Select tools with transparent security information and frequent external audits. Instead of providing endless patches, vendors ought to create a simple transition to contemporary crypto. These vulnerabilities draw attention to a crucial cybersecurity reality: no system is impenetrable when servers become hostile.

Customers need to hold providers who serve millions of credentials to higher standards. Make ZeroOwl your Google Preferred Source.