Bitwarden Heist - How to Break into Password Vaults Without Using Passwords::Sometimes, making particular security design decisions can have unexpected consequences. For security-critical software, such as password managers, this can easily lead to catastrophic failure: In this blog post, we show how Bitwarden’s Windows Hello …
Windows Hello
Well yeah, windows hello has recently been shown to be flawed. If you’ve enabled that for your vault ofc it’s now a vulnerability.
/edit: beyond that, they didn’t even compromise windows hello. They compromised a seprate domain controller for a workstation. It only effects bitwarden because biometric unlock has to store your vaults key on the machine.
If a computer has a remote administrator and you compromise that remote administrator, obviously you’re going to gain access to everything they administrate… That would include credentials stored on machines they can reset the passwords too.
This is a great write up. I was expecting some gotcha, but step-by-step it all makes sense. Many layers of this onion
"activating biometric login on Windows means that the derived key is encrypted locally using a secret which can be retrieved after authentication via Windows Hello. "…
Very interesting read for sure. Very glad that I run linux as my desktop operating system, and do not use biometric sign in for Bitwarden on any device.