Hacker News new | ask | show | jobs
by AdamJacobMuller 1391 days ago
> even a full breach of their servers would fail to leak passwords

This is a dangerous fallacy. Nothing fundamentally would prevent someone who attacked their infrastructure from pushing a malicious app update or a malicious extension update which exfiltrated the decrypted library from the client side.
2 comments
smt88 1391 days ago
I wasn't specific about that. I should have said a full dump of their database.

Yes, if someone got into their supply chain, they could push a malicious update. That's also true of KeePass and every other password manager. There's no way to avoid that vector.

link
woojoo666 1391 days ago
Are there any instances of this happening? I feel like it would be caught so fast it's not worth trying
link
asoberbeck 1391 days ago
> As customers downloaded the update, they unwittingly pulled down and installed the backdoor at the same time. The malicious code was itself cleverly designed, would execute commands, and provided remote admin access. The hackers then used that foothold to create and cryptographically sign the necessary security tokens to hoodwink systems into believing subsequent access to other accounts and resources was legitimate.

https://www.theregister.com/2020/12/15/solar_winds_update/

link
woojoo666 1391 days ago
Wow that is worrying how long it took to catch....seems like companies need to be monitoring their releases more carefully
link