Bitwarden Heist – How to break into password vaults without using passwords

"AppData" is where user specific application data is supposed to be stored.

"The Registry" is where application configuration is supposed to be stored.

"ProgramData" is where application specific data is supposed to be stored.

"Program Files" is where read-only application binaries and code is supposed to be stored.

It really is a simple concept from a Windows perspective. What ruins everything is overzealous and/or ignorant programmers who don't take any pride in their work, or lack all respect for the users environment. For example; an .ini file should not be a thing in Windows. That is what the registry is for. But the programmer writes the code for Linux, half-ass ports it to Windows, and leaves the .ini file because his code is more important to him than the end-users operating system.

There is nothing wrong with AppData permissions. The problem is with the users understanding of what it is for, and the developers understanding of how it should be used.

Microsoft is trying to do that with msix and a new filesystem driver that transparently restricts file system access to app. Should land into Windows 11 this year. See https://youtu.be/8T6ClX-y2AE for the functionality explaination.

>python script on GitHub that allows to decrypt passwords the browser stores locally in their %Appdata% directory.

Yes, otherwise known as "if you run code on your computer, it can run code on your computer".

If a random python program can "decrypt" the passwords, that's not encryption. And browser password management isn't about security, but convenience.

AppData is the Windows equivalent to Linux home directory dotfiles.

> Ideally applications should only have access to their own directories

This happens for Windows Store apps, which are sandboxed similarly to mobile phone apps.

There's probably nothing that I hate in programming more than having full access to the file system. Any time I write a program that has to delete a file I just make it move into a trash folder instead just in case I mess up somewhere and accidentally delete the entire file system.

Is there even a way to opt in to having a secret be accessible only for your process? Like, a way to maybe sign your executable and then use a windows api that then gets "oh. This process is made by the same vendor that created this secret, so it’ll be allowed access".

It’s just ridiculous that the most trivial, unprivileged process can just steal any file and any secret accessible by the user it’s run as. Unless that secret is protected with a key derived from a separate password the user has to put in.

So - the moral of the story is to never use Windows?

> The response was that if access to %Appdata% is completely blocked Windows won't work anymore.

Yikes. I really wish that instead of Microsoft wasting resources on telemetry nonsense, they would focus on optimizing their OS and modernizing some of these blatant security issues.

I guess it wont happen until we have another wave of ransomware malware or something of the sort.

I believe the following is the solution. https://learn.microsoft.com/en-us/windows/win32/secauthz/app... No?

Yes, it requires an attacker in a powerful position with local access. However, it does not require special privileges or techniques that may trigger endpoint security (such as keyloggers or memory dumping). The only requirements are reading a JSON file and making a single Windows API call to retrieve the key.

Agreed.

> "We recently conducted a penetration test with the goal of compromising the internal network of a client in a Windows environment. As usual, we managed to get administrative access to the domain controller"

This article feels like click-bait, when they buried the lede.

Everything is a tradeoff - but the basic balance is very strongly in favor of password managers:

1. without a password manager that is shared on all your devices, you WILL re-use passwords out of frustration. 2. without a password manager, if you do any sort of regular sharing passwords with a engineering team, friends & family, you'll resort to pretty insecure channels. 3. true E2E encryption, while still providing some surface area, has proven in the field through multiple pretty bad breaches[1], that it's a security model that holds up under real-world circumstances.

On the flip side, you are right: you are one compromised browser extension / binary away from having your local vault decrypted, and ALL your passwords compromised. But think about this: if someone has this much local access, chances are they can install a keylogger anyway, or read your clipboard, so the real difference is you've conveniently pre-loaded all your sensitive information in one go for the bad actor.

[1]For example: https://blog.lastpass.com/2022/12/notice-of-recent-security-...

They make it easy to have strong passwords and sync across devices.

You could use a local vault and sync yourself, use a piece of paper in a safe, or use your brain to store them.

All of these come with tradeoffs and their own risks. Pick your poison.

You can use password vaults without creating a single point of failure by enabling 2FA for the accounts in the vault, without storing the keys there. Of course, it would still be bad if the vault was compromised, but it would be unlikely that anyone could access those accounts without accessing your 2FA.

That's because it is a SPOF. However, a password manager seems to me the best compromise along the security / convenience axes.

I memorise good passwords for a handful of my most critical stuff (and have MFA). They don't go in my password manager.

If my password manager gets compromised then I probably could lose some cash, maybe get embarrassed by being impersonated on social media - it could get very inconvenient but not catastrophic.

The way I look at it is, password vault is a single point of failure with a very VERY tiny attack surface that attacker will need to directly target you with a sniper rifle to actually hit you (assuming you are not using things like Lastpass. I personally use Keepass and synchronize the local vault across devices using Syncthing). Suffice to say, unless your last name is Snowden, it should not be a concern to you.

Comparing to the common way of "managing" password (i.e. reusing one password everywhere), it is still a single point of failure. The difference is the attack surface balloons up in proportion to the number of website you sign up to. And just like a balloon, all it need is one poke, one website storing your password in plaintext to blow it all up.

Without using a vault, people end up re-using passwords or using weak passwords, which is IMO worse.

Before password managers people used the same password on every site. Vaults being a SPOF is true but not really relevant. They're still an improvement over what people did before.

I don't think anybody is arguing that password managers are the be-all and end-all of secure user authentication.

But what would you use instead for services that support only password authentication? And even for services with 2FA: If one of the factors is a password, where do you store it?

If done correctly it works. correctly being the operative word.

I'm not convinced crypto is inherently less secure; I'd argue it's more secure on average. Data breaches happen every day; whether in financial services or not. The difference is that a breach is catastrophic for crypto; but just bad for most businesses.

Out of the box is not enough. Debian has a checklist for building a secure system, as well as some helper tools for configuration: https://www.debian.org/doc/manuals/securing-debian-manual/in...

Yes. If you have LLMNR, NTLM enabled, unsigned SMB allowed, and nonencrypted LDAP bindings then your domain controller can be popped with zero effort by metasploit.

Legacy protocols can be very sticky and most repeat pentest engagements I am able to use the same exact method every time because they will never get addressed. Modern windows (since like vista-era) will use better stuff out of the box but will also allow downgrade attacks in the name of compatibility.

Hell, I still find SMBv1 in a lot of places.

Well, they're a pentesting company. Getting access to the DC is goal #1 for every engagement they do.

So, I read this to be "as usual for us during our engagements", not "as usual for everyone all the time".

I promise if you are using Windows AD and haven't had a pen test and remediation in the last few years - you would lose to a decent pentesting group.

It could be through social engineering which is the easiest way.

I wonder why that is. Do App Store Applications get extra privileges?

Why isn’t being signed enough for an application to store secrets only it can access in the keychain?

Not that we are aware of. The security model of Android and iOS also makes it much easier to implement biometric unlock correctly.

There are a few convenient scapegoats here but ultimately in this case it is not biometric unlock that enabled this but rather characteristic of the Active Directory's design (I'm not sure I will call it a weakness).

For Android and iOS if you forget your PIN code I believe you are screwed, as in no one can decrypt your device for you.

Probably not, given that Android's security model sandboxes apps and accordingly can identify which one is trying to access a given keychain credential.

I worked in managing bug bounty programs at a previous job. If there is one thing I have learned it's that blog posts like this are heavily skewed towards making the problem seem much larger than it is. It's what gets the clicks, so it's not a surprise. It makes dealing with penetration testers and bug bounty participants really stressful and frankly, annoying.

Our policy was that we would be happy if someone were to discuss bounties we paid out for, but we wanted the discussion to be fair and accurate. It did not ever really feel like it was mutually beneficial relationship. I don't miss that work at all really lol.

>the attack already assumes access to the workstation of the victim

I seldom can take "vulnerabilities" that require physical access seriously, because if a hostile is physically next to my computer I have more pressing concerns than some passwords.

And why would this be downvoted? Is there some specific holy aspect to password management services that makes them immune to being the victims of the same massive data leaks that frequently affect a whole broad range of tech companies?