Security Operations

570 readers

1 users here now

A place for all things Cyber Security, from questions, rants, and stories, to the latest attacks, vulnerabilities, and zero days.

founded 1 year ago

MODERATORS

L3s

Bitwarden Heist - How to Break into Password Vaults Without Using Passwords (blog.redteam-pentesting.de)

submitted 11 months ago by L4s to c/secops

2 comments fedilink hide all child comments

Bitwarden Heist - How to Break into Password Vaults Without Using Passwords::Sometimes, making particular security design decisions can have unexpected consequences. For security-critical software, such as password managers, this can easily lead to catastrophic failure: In this blog post, we show how Bitwarden’s Windows Hello …

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 7 points 11 months ago* (last edited 11 months ago)

Windows Hello

Well yeah, windows hello has recently been shown to be flawed. If you've enabled that for your vault ofc it's now a vulnerability.

/edit: beyond that, they didn't even compromise windows hello. They compromised a seprate domain controller for a workstation. It only effects bitwarden because biometric unlock has to store your vaults key on the machine.

If a computer has a remote administrator and you compromise that remote administrator, obviously you're going to gain access to everything they administrate... That would include credentials stored on machines they can reset the passwords too.