Mxx
January 6, 2024, 8:02am
1
Just found a rather eye-opening article that I think people here would be interested in:
Sometimes, making particular security design decisions can have unexpected consequences. For security-critical software, such as password managers, this can easily lead to catastrophic failure: In this blog post, we show how Bitwarden’s Windows Hello...
Beware that - as the article points out - this has been independently discovered, reported, and fixed nearly a year ago and disclosed half a year ago.
grb
January 6, 2024, 4:08pm
3
Here is a copy of Bitwarden founder @kspearrin ’s statement when this vulnerability was previously discussed on Reddit 6 months ago :
This was disclosed through our HackerOne program. You can read the details from the actual source here: https://hackerone.com/reports/1874155
Also note that this issue was only a threat when using Windows Hello with the desktop application on a device that was already compromised to a level that allowed access to Windows Credential Manager on your Windows account (basically, you have malware on your device). Classifying the storage as plaintext is a little misleading, in my opinion. The key was stored in Windows Credential Manager, which can access the plaintext value from within the scope of the Windows account. It’s not on disk in plaintext.
Latest versions of the Windows desktop application resolve the issue (starting with the April 2023 release, version 2023.4.0).
Also, here is a link to the Reddit community’s discussion of the RedTeam Pentesting blog article:
1 Like
Mxx
January 6, 2024, 7:34pm
4
I never said or implied that BitWarden was still vulnerable, and anybody who reads the first paragraph or the article will see that as well.
Nonetheless, it’s an interesting read not just because it involves BitWarden, but it also highlights a potential exploit vector through AD controller that people might not realize exists.
1 Like