Technology

81286 readers

4679 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related news or articles.
Be excellent to each other!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
Check for duplicates before posting, duplicates may be removed
Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago

MODERATORS

L3s@lemmy.world

enu@lemmy.world

technopagan@lemmy.world

L4s@lemmy.world

L3s@hackingne.ws

138

You probably can't trust your password manager if it's compromised (www.theregister.com)

submitted 12 hours ago by floofloof@lemmy.ca to c/technology@lemmy.world

74 comments fedilink hide all child comments

cross-posted from: https://infosec.pub/post/42164102

Researchers demo weaknesses affecting some of the most popular options Academics say they found a series of flaws affecting three popular password managers, all of which claim to protect user credentials in the event that their servers are compromised.…

you are viewing a single comment's thread
view the rest of the comments

[–] Auster@thebrainbin.org 224 points 12 hours ago (4 children)

You probably can't trust anything if it's compromised

[–] Pratai@piefed.ca 12 points 7 hours ago (1 children)

Are you trying to say the front fell off?

[–] wreckedcarzz@lemmy.world 2 points 1 hour ago

That's not very typical

[–] unhrpetby@sh.itjust.works 8 points 8 hours ago (2 children)

Bitwarden is a zero-knowledge encryption password manager. This means that Bitwarden as a company cannot see your passwords. They remain encrypted end-to-end with your individual email and Master Password. Bitwarden never stores and cannot access your Master Password.

[–] unexposedhazard@discuss.tchncs.de 2 points 2 hours ago* (last edited 2 hours ago)

And if the client software itself is compromised then all that is meaningless.

[–] underisk@lemmy.ml 17 points 8 hours ago (1 children)

BW06: Icon URL Item Decryption. Items can include a URL field, which is used to autofill the credentials and display an icon on the client. The client decrypts the URL and fetches the icon from the server, including in its request the domain and top-level domain of the URL. For instance, if the URL is “https://host.tld/path%E2%80%9D, the client request includes “host.tld”. This means that the adversary can learn (part of) the con- tents of URL fields. Using Attack BW05, an adversary can place the ciphertext of sensitive item fields, such as a user- name or a password, in the encrypted URL field. After fetch- ing the item, the client will then decrypt the ciphertext, confus- ing it for a URL. If the plaintext satisfies some conditions (i.e. containing a ‘.’ and no !), it will be leaked to the adversary. A URL checksum feature was deployed in July 2024, mak- ing the clients store a hash of the URL in another encrypted item field, therefore providing a rudimentary integrity check and preventing this attack. Note that old items are never up- dated to add such a checksum: this feature only protects items created after its introduction. Furthermore, URL checksums are only checked if a per-item key is present for the item. As we will see, an adversary can prevent per-item keys from being enabled with Attack BW10.

IMPACT. The adversary can recover selected target ciphertexts in the item, such as the username or the password.

REQUIREMENTS. The user opens a vault containing items that do not use per-item keys (i.e., items created before July 2024, or after Attack BW10 is run). The target plaintext must satisfy some additional conditions, detailed in Appendix

-- from the paper the article is discussing

So you could potentially expose your passwords to a compromised server or some kind of MITM. If they meet the conditions for the validation check, anyway.

[–] unhrpetby@sh.itjust.works 1 points 4 hours ago* (last edited 4 hours ago) (1 children)

My comment was to answer the question of: "Why is this relevant?" (Its been asked a lot). It's relevant because Bitwarden is claiming that they "cannot see your passwords".

[–] underisk@lemmy.ml 1 points 3 hours ago

I didn't think you were making the post to defend Bitwarden or something. I was just adding the details of one of the exploits the paper found that directly contradicted their claim.

[–] floofloof@lemmy.ca 44 points 12 hours ago* (last edited 12 hours ago) (1 children)

Well the specific point here is that these companies claim that a server hack won't reveal your passwords since they're encrypted and decrypted on your local device so the server only sees the encrypted version. Apparently this isn't completely true.

[–] philpo@feddit.org 4 points 3 hours ago

At the point someone pulls off a valid MIM attack - which is basically a requirement here unless the whole BW/Vaultwarden server gets compromised- that is the least of someones problems. MIMs are incredibily hard these days.

[–] tal@lemmy.today 33 points 12 hours ago (1 children)

Yeah, the title there really doesn't reflect the article text. It should be "you probably can't trust your password manager if the remote servers it uses are compromised".

[–] hummingbird@lemmy.world 1 points 3 hours ago

That would be an understatement since all services claim your data is safe even in that case which is not true.