Bitwarden Heist – How to break into password vaults without using passwords

Microsoft&#x27;s %Appdata% directory is a security nightmare in my opinion. Ideally applications should only have access to their own directories in %Appdata% by default. I recently came across a python script on GitHub that allows to decrypt passwords the browser stores locally in their %Appdata% directory. Many attacks could be prevented if access to %Appdata% was more restricted.<p>I also found a post of an admin a few days ago where he asked if there was a Windows setting for disallowing any access to %Appdata%. The response was that if access to %Appdata% is completely blocked Windows won&#x27;t work anymore.

I&#x27;m glad they made some improvements to security as a result of this finding. This &quot;attack&quot; is still very specialized though and requires local access which (as mentioned) could&#x27;ve exposed the user to keyloggers and other malware.

Website overloaded. Archived version here:<a href="https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20240103131242&#x2F;https:&#x2F;&#x2F;blog.redteam-pentesting.de&#x2F;2024&#x2F;bitwarden-heist&#x2F;" rel="nofollow">https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20240103131242&#x2F;https:&#x2F;&#x2F;blog.redt...</a>

Ok but it assumes the domain is compromised as stated in the article, and if the domain controller is compromised, it’s a game over for connected machines hence these attacks usually focus on domain admin or schema admin. Edit: it seems the second non-biometric method doesn’t need domain, it’s still however need that local access<p>&gt; S-1-5-21-505269936…<p>Kind of off topic but around 20years ago when I had my first portable harddisk, I used this method by creating these type of folders and remembering the numbers sequence in a creative way to hide my files when traveling&#x2F;crossing borders while putting some decoy files in the plain sight, before knowing&#x2F;using data encryptions, and it worked, I remember the agent taking my hdd and seeing him going through the decoy files and then returning my hdd normally.

I&#x27;ve always considered password vaults as a single point of failure that will compromise all of your passwords. I&#x27;ve had lots of intelligent, well-informed programmers argue that my concern is groundless.

Sounds like the bigger issue in this case is that it’s not clear to developers in which cases they can rely on DPAPI to be entirely local, which I assume is what’s needed for password manager style applications.

tl;dr<p><pre><code> This means that any process that runs as the low-privileged user session can simply ask DPAPI for the credentials to unlock the vault, no questions asked and no PIN or fingerprint prompt required and Windows Hello is not even involved at all. The only caveat is that this does not work for other user accounts. </code></pre> Yikes<p><pre><code> Bitwarden has since made changes to their codebase to mitigate this particular scenario, which we will quickly summarize in the next section. They have also changed the default setting when using Windows Hello as login feature to require entering the main password at least once when Bitwarden is started. </code></pre> Phew<p>Props to the security researchers for finding this bug! It&#x27;s great that we have the infosec community to help protect us. Feels like one of the few industries whose monetary incentive is to help the public.

The complexity of deployed identification&#x2F;auth chain&#x2F;secrets management&#x2F;ec. is pretty terrifying; even if you can somehow understand it for one OS and hardware platform, if your service needs to support multiple OSes plus web plus multiple auth technologies plus a recovery path and everything else, dragons.<p>This is one of the few things cryptocurrency gets right in one specific way better than most other applications -- in most cases, everything is explicitly about operations with a key, and you build up protections on both sides of that. Unfortunately those protections themselves are often inadequate (hence billions of dollars in losses), but it&#x27;s at least conceptually simpler and potentially could be fixed.

Tangential, what is the state of security on Linux desktop nowadays? Say out-of-the-box Debian 12 using Wayland. Is it still just that nobody is attacking Linux so it&#x27;s safe?

<i>&gt; As usual, we managed to get administrative access to the domain controller</i><p>As usual? Is that the state of Windows Server security these days? I never managed a Windows-based network so I have no idea. I heard about these things back in the 2000&#x27;s but I&#x27;m surprised this is &quot;usual&quot;.

Interestingly, the latest versions of bitwarden for mac that are available for download from github no longer work with biometric authentication, requiring the user to download the app from the app store in order to use that functionality.

I wonder if biometric bitwarden unlock on Android has the same kind of issue or not.

There should be a warning label on Windows like there is for cigarretes.<p>Every time a user logs, Microsoft should be obliged by Law to show: &quot;Your computer will get cancer if you proceed logging in.&quot;

This affects Windows only.<p>Really feel that should&#x27;ve made it to the title other it feels like click bait.

TL;DR: It&#x27;s definitely interesting, but this is about attacking vaults with biometric unlock enabled (and are thus stored on disk) on Windows, and requires workstation access and a Bitwarden design flaw that was fixed in April.<p><i>&gt; the attack already assumes access to the workstation of the victim and the Windows domain<p>&gt; The underlying issue has been corrected in Bitwarden v2023.4.0 in April 2023<p>&gt; As it turns out, we were not the first to discover this in March 2023, it had already been reported to Bitwarden through HackerOne.[1]</i><p>I could have sworn [1] had a dedicated post here on HN but couldn&#x27;t find it, it&#x27;s worth a read too.<p>[1]: <a href="https:&#x2F;&#x2F;hackerone.com&#x2F;reports&#x2F;1874155" rel="nofollow">https:&#x2F;&#x2F;hackerone.com&#x2F;reports&#x2F;1874155</a>

I&#x27;ve always thought the trust placed in password managers was deeply misplaced. Like any company, it&#x27;s only a question of time and circumstance until one of them is massively breached, but right here on HN, a whole bunch of people who should know better recommending them as if they were flowers from heaven. Because of course hey, &quot;it&#x27;s just convenient&quot;.