[nlawalker]

TL;DR: It's definitely interesting, but this is about attacking vaults with biometric unlock enabled (and are thus stored on disk) on Windows, and requires workstation access and a Bitwarden design flaw that was fixed in April.

> the attack already assumes access to the workstation of the victim and the Windows domain

> The underlying issue has been corrected in Bitwarden v2023.4.0 in April 2023

> As it turns out, we were not the first to discover this in March 2023, it had already been reported to Bitwarden through HackerOne.[1]

I could have sworn [1] had a dedicated post here on HN but couldn't find it, it's worth a read too.

[1]: https://hackerone.com/reports/1874155

[Dalewyn]

>the attack already assumes access to the workstation of the victim

I seldom can take "vulnerabilities" that require physical access seriously, because if a hostile is physically next to my computer I have more pressing concerns than some passwords.

[RedTeamPT]

Yes, it requires an attacker in a powerful position but it does not require physical access. Any program that runs in the user's session (without any special privileges) could have autonomously retrieved the biometric key and decrypted the vault without user interaction and without Bitwarden running.

[dist-epoch]

They mentioned not wanting to use keyloggers which would be their standard approach.

[elzbardico]

The problem is that an unsophisticated user doesn't necessarily think like that, and could come to the conclusion that it is not a big deal to leave his workstation unlocked while going to fetch a coffee, after all, well... "I have a password manager, and to have access to it, it requires unlocking". Then some colleague calls them for an ongoing meeting so they can share some insight about some question that was raised in the meeting and so on.

A far-fetched scenario? yes. But if it can happen, it will happen.

[BobaFloutist]

That unsophisticated user is also likely to have a printed out list of passwords taped to their monitor, or an unprotected excel file labelled "Passwords".

[eddythompson80]

To this day I don’t understand how “computer repair” shops are in business. When I was a shithead 16 year old I used to work at one. I found it amusing to see what files people deleted before giving us full physical access to their machines. I definitely saw things I shouldn’t have seen. It wasn’t until I saw something illegal that I freaked out and stopped doing it. I was so paranoid that I srm’ed my entire drive and theirs and never mentioned it to anybody. In retrospect I should have, but I was 16 and didn’t know what to do.

[Dalewyn]

For most people (ie: not us), computers are just another household appliance in the same vein as televisions, washing machines, refrigerators, and air conditioners. If it breaks, you get it fixed by a technician or go and get a new replacement.

[eddythompson80]

Yet they instinctively understand that they should delete certain files and prepare their computers for repair. We've had many who would walk in asking "hey, my computer is doing X is this fixable?" we would have no idea of course. We'd always ask can we see it, and they would say "I just don't wanna have to get it ready for repair if it wasn't possible"

This is why I totally understand when Apple or MS go overzealous with encryption or T2 or secure boot. Despite "people like us" complaining about it.

[Zetobal]

If you have machines that have users logged in, are unlocked when none of your users are working on them and that are in reach of a 3rd party you have bigger problems than this.

[ben0x539]

Everybody thinks their machines aren't within reach of a 3rd party until they are!

[gtirloni]

In this case, physical access is very brief and almost imperceptible if you're not paying attention.

It's different from trying to pry open an encrypted hard disk from a laptop or something similar.

You probably won't even know that coworker you trust is compromised and attacked you this way.