this post was submitted on 03 Jan 2024
12 points (100.0% liked)

Security Operations

570 readers
1 users here now

A place for all things Cyber Security, from questions, rants, and stories, to the latest attacks, vulnerabilities, and zero days.

founded 1 year ago
MODERATORS
L3s
 

Bitwarden Heist - How to Break into Password Vaults Without Using Passwords::Sometimes, making particular security design decisions can have unexpected consequences. For security-critical software, such as password managers, this can easily lead to catastrophic failure: In this blog post, we show how Bitwarden’s Windows Hello …

all 3 comments
sorted by: hot top controversial new old
[–] [email protected] 7 points 10 months ago* (last edited 10 months ago)

Windows Hello

Well yeah, windows hello has recently been shown to be flawed. If you've enabled that for your vault ofc it's now a vulnerability.

/edit: beyond that, they didn't even compromise windows hello. They compromised a seprate domain controller for a workstation. It only effects bitwarden because biometric unlock has to store your vaults key on the machine.

If a computer has a remote administrator and you compromise that remote administrator, obviously you're going to gain access to everything they administrate... That would include credentials stored on machines they can reset the passwords too.

[–] [email protected] 4 points 10 months ago

This is a great write up. I was expecting some gotcha, but step-by-step it all makes sense. Many layers of this onion

"activating biometric login on Windows means that the derived key is encrypted locally using a secret which can be retrieved after authentication via Windows Hello. "....