|
|
|
|
|
|
by xxkylexx
2774 days ago
|
|
|
It does do this [1], however, it is a little more complex since Bitwarden has to backwards-compat support old data that was AES-CBC encrypted from long ago before auth checks were implemented, while also combating against downgrade attacks. This same discussion was had back in January when you (I assume this is PIE Scott) reported the problem in issue 306171 on HackerOne which was closed out. [1]: https://github.com/bitwarden/jslib/blob/master/src/services/... |
|
|
The AES-CBC thing is tied to the key, right? So the downgrade attack isn't possible.