Bitwarden Heist - How to Break into Password Vaults Without Using Passwords::Sometimes, making particular security design decisions can have unexpected consequences. For security-critical software, such as password managers, this can easily lead to catastrophic failure: In this blog post, we show how Bitwarden’s Windows Hello …

  • @[email protected]
    link
    fedilink
    English
    7
    edit-2
    1 year ago

    Windows Hello

    Well yeah, windows hello has recently been shown to be flawed. If you’ve enabled that for your vault ofc it’s now a vulnerability.

    /edit: beyond that, they didn’t even compromise windows hello. They compromised a seprate domain controller for a workstation. It only effects bitwarden because biometric unlock has to store your vaults key on the machine.

    If a computer has a remote administrator and you compromise that remote administrator, obviously you’re going to gain access to everything they administrate… That would include credentials stored on machines they can reset the passwords too.

  • @[email protected]
    link
    fedilink
    English
    41 year ago

    This is a great write up. I was expecting some gotcha, but step-by-step it all makes sense. Many layers of this onion

    "activating biometric login on Windows means that the derived key is encrypted locally using a secret which can be retrieved after authentication via Windows Hello. "…