|
|
|
|
|
|
by 0xbadcafebee
894 days ago
|
|
|
tl;dr This means that any process that runs as the low-privileged user session can simply ask DPAPI for the credentials to unlock the vault, no questions asked and no PIN or fingerprint prompt required and Windows Hello is not even involved at all. The only caveat is that this does not work for other user accounts.
Yikes Bitwarden has since made changes to their codebase to mitigate this particular scenario, which we will quickly summarize in the next section. They have also changed the default setting when using Windows Hello as login feature to require entering the main password at least once when Bitwarden is started.
PhewProps to the security researchers for finding this bug! It's great that we have the infosec community to help protect us. Feels like one of the few industries whose monetary incentive is to help the public. |
|
|