|
|
|
|
|
|
by munchbunny
2081 days ago
|
|
|
You are supposed to be able to extract plaintext secrets with the Data Protection API if you are logged in as the user who the secret belongs to. Yup. It's like saying you're able to read the private key out of ~/.ssh/id_rsa because you're logged in as the user, though with more steps because you need to deserialize the key from the internal representation. If you want this to not be possible even when logged in as the user, then use a hardware token like a smart card or smart-card-capable security key. Could still be useful for post-exploitation as the OP mentions. |
|
|